Mark Rasch, 2003-08-18
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.
Colapse all |
Post comment
(shrug) - he had it coming.
2003-08-18
Penguinisto (6 replies)
Penguinisto (6 replies)
(shrug) - he had it coming.
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
Where does it state that he broke into the system? From the article it seems that the only thing McDanel is guilty of is embarrasing Tornado into action. This is an issue of First Amendment rights and is nothing to shrug about. I would posit that McDanel did what was ethical. I believe it is une...
[ more ] [ reply ]
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-18
Beelezubb (4 replies)
Beelezubb (4 replies)
it does state that he sent a mass email...which implies one of two things
- he had list of all customers (effectively stealing(
- he used a backdoor to get the list of customers (effectively B&E)
whichever method he used, it's still on shaky ground. He should have posted it to Bugtraq...
[ more ] [ reply ]
- he had list of all customers (effectively stealing(
- he used a backdoor to get the list of customers (effectively B&E)
whichever method he used, it's still on shaky ground. He should have posted it to Bugtraq...
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-18
Anonymous (2 replies)
Anonymous (2 replies)
He could have sent an email to an alias such as customers@tornado.com. Would you call Breaking in? It's done all the time by fortune 500 companies in mass emails. (SPAM) ...
[ more ] [ reply ]
[ more ] [ reply ]
no good deed goes unpunished
2003-08-20
Anton Sherwood (1 replies)
Anton Sherwood (1 replies)
He didn't send to a mass alias: he staggered the message over several days, precisely to *avoid* causing a DoS. To do that, he needed a list of subscribers. We don't know how he got that, but evidently neither the Gummint nor Tornado saw fit to prosecute him for stealing it!...
[ more ] [ reply ]
[ more ] [ reply ]
no good deed goes unpunished
2003-08-25
Anonymous
Anonymous
What leads you to believe that he didn't just send emails to random names@tornado.net. It works for spammers with yahoo, hotmail, etc. and is easier than breaking into their system to get addresses. I'm going to assume that he didn't steal the addresses or infiltrate their systems because he is no...
[ more ] [ reply ]
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-18
CyCOtiC (2 replies)
CyCOtiC (2 replies)
Beelezubb,
I think you have miss read the article. He was an employee. Which in my eyes does not constitute as a breaking and steeling client details. The actual article is a double edge sword, your damed if you do damed if you don't.
What would happen if he was the security expert in charge of th...
[ more ] [ reply ]
I think you have miss read the article. He was an employee. Which in my eyes does not constitute as a breaking and steeling client details. The actual article is a double edge sword, your damed if you do damed if you don't.
What would happen if he was the security expert in charge of th...
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
He was a FORMER employee, left 6 months before the e-mail was sent. So he should not have still been in possession of customer details. Presumably he either:
- kept confidential client information 6 months after his employment
- obtained confidential client information 6 months after his employm...
[ more ] [ reply ]
- kept confidential client information 6 months after his employment
- obtained confidential client information 6 months after his employm...
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-19
Anonymous
Anonymous
Sounds like the whole thing SHOULD have been handled differently.
The Company SHOULD have fixed the problem to begin with.
The Customers SHOULD have been told. If a person has a right to know something, being told that something shouldn't get the teller in hot water.
He SHOULDN'T have been...
[ more ] [ reply ]
The Company SHOULD have fixed the problem to begin with.
The Customers SHOULD have been told. If a person has a right to know something, being told that something shouldn't get the teller in hot water.
He SHOULDN'T have been...
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-19
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
The list of names was simlply userids comprised of numbers, e.g., tornado1, tornado2.. etc.. he knew this from having previously worked there, so all he needed to do was find out how MANY users there were... He apparently never broke into any Tornado computers.
MDR...
[ more ] [ reply ]
MDR...
[ more ] [ reply ]
ah - that should've been included in the article, then...
2003-08-21
Penguinisto (1 replies)
Penguinisto (1 replies)
I had assumed that he either swiped the customer list (ie stolen the key to the house in my analogy) or had exploited the vulnerability itself to ship the mails.
Given this information, IMHO he still screwed up, big-time - at the least for spamming (or possibly harrassment), at the most for outri...
[ more ] [ reply ]
Given this information, IMHO he still screwed up, big-time - at the least for spamming (or possibly harrassment), at the most for outri...
[ more ] [ reply ]
Posting to BugTraq does not get you off the hook...
2003-08-26
Anonymous
Anonymous
From the government's perspective, posting to BugTraq has the same effect as sending the email to the users. That effect is notifying would-be script-kiddies of the vulnerability, thus "impairing the integrity" of the network. Since this effect is the "probable" outcome of either action, it is def...
[ more ] [ reply ]
[ more ] [ reply ]
(beelezubb!) - he had it coming.
2003-08-19
scamerone
Geez. Anybody can get a list of email addresses.
----------------------------
822roselawn@xmsg.com
at3@xmsg.com
ds-homea@xmsg.com
eguiq9@xmsg.com
elaine@xmsg.com
enk@xmsg.com
eos@xmsg.com
gregnkomo@xmsg.com
Isabella@xmsg.com
krisblakemy2babies@xmsg.com
l35ugk@xmsg.com
lara114@xmsg....
[ more ] [ reply ]
scamerone
Geez. Anybody can get a list of email addresses.
----------------------------
822roselawn@xmsg.com
at3@xmsg.com
ds-homea@xmsg.com
eguiq9@xmsg.com
elaine@xmsg.com
enk@xmsg.com
eos@xmsg.com
gregnkomo@xmsg.com
Isabella@xmsg.com
krisblakemy2babies@xmsg.com
l35ugk@xmsg.com
lara114@xmsg....
[ more ] [ reply ]
Re: (shrug) - he had it coming.
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
So you think that disclosure of a vulnerability is the same as breaking into a house? I really don't see the connection.
A better analogy would be seeing that a gate was always unlocked in a gated community and after trying to get the management to fix it, sending letters to all of the residents...
[ more ] [ reply ]
A better analogy would be seeing that a gate was always unlocked in a gated community and after trying to get the management to fix it, sending letters to all of the residents...
[ more ] [ reply ]
Re: (shrug) - he had it coming.
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
I agree completely, but just to strengthen your argument: the residents to which the letter was sent would have to be affected by the unlocked gate for it to be more analogous to this guys situation just like the customers were affected by the security hole....
[ more ] [ reply ]
[ more ] [ reply ]
he had it coming? I don't think so!.
2003-08-19
Jack.R.Abbit
Jack.R.Abbit
People who live in a gated community often do so because they are more secure, since either the gates are controled by gaurds and/or residant keys. If a gate was left unlocked, any one could get in to the property and cause trouble. This effects the residents just the same as if there was a backdo...
[ more ] [ reply ]
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-19
Anonymous (2 replies)
Anonymous (2 replies)
He didn't break into anything. You completely missed the entire point of the article. Its about free speach. A truer analogy would be telling the guy the next to you in the check-out line at the hardware store that the deadbolt lock he's buying can be easily jimmied and then showing him how. Read th...
[ more ] [ reply ]
[ more ] [ reply ]
Analogies
2003-08-19
SCamerone (1 replies)
Assuming you're not fed up yet, here's
my analogy:
1. I used to work for a company A, developing
product X. (Pick whatever industry you can imagine, e.g. Firestone tires)
2. There's a security problem with the product and I try to convince management
to fix it.
3a. I quit the company b...
[ more ] [ reply ]
SCamerone (1 replies)
Assuming you're not fed up yet, here's
my analogy:
1. I used to work for a company A, developing
product X. (Pick whatever industry you can imagine, e.g. Firestone tires)
2. There's a security problem with the product and I try to convince management
to fix it.
3a. I quit the company b...
[ more ] [ reply ]
Analogies
2003-08-19
Anonymous-Jerk (2 replies)
Anonymous-Jerk (2 replies)
I think you all missed the point. This is a civil matter i.e. slander. It?s the same as taking client lists from a former law firm and disclosing their dirty laundry in an attempt to hurt their image. Typically, monetary compensation would have been awarded. This particular interpretation of fed...
[ more ] [ reply ]
[ more ] [ reply ]
Analogies
2003-08-20
Drg (1 replies)
Drg (1 replies)
You'd try to prosecute someone for them revealing flaws in your code? Are you completely stupid?
People need to grow the hell up and stop being so damn proud. Nobody's perfect. I've coded my share of security vulnerabilities in my life and when someone reveals one, I'll take it on board and learn...
[ more ] [ reply ]
People need to grow the hell up and stop being so damn proud. Nobody's perfect. I've coded my share of security vulnerabilities in my life and when someone reveals one, I'll take it on board and learn...
[ more ] [ reply ]
"Free Speech"? Puh-leeze.
2003-08-21
Penguinisto (1 replies)
Penguinisto (1 replies)
Re: The criminal charges -
He had to get the e-mail list from somewhere, no? In light of Mr. Rasch's addendum in the talkbacks, the criminal aspect is much smaller than I had gathered from the original article, but getting the exact number of ISP customers in order to set up the mass mailing may ...
[ more ] [ reply ]
He had to get the e-mail list from somewhere, no? In light of Mr. Rasch's addendum in the talkbacks, the criminal aspect is much smaller than I had gathered from the original article, but getting the exact number of ISP customers in order to set up the mass mailing may ...
[ more ] [ reply ]
"Free Speech"? Puh-leeze.
2003-08-21
Anonymous
Anonymous
Actually they are considered a common carrier. Which means they aren't supposed to censor, and that they also aren't responsible for the content the is sent thru them. There was a bunch of court case regarding this in the 80's involding the precurser to AOL and genie and compuserve, etc...
[ more ] [ reply ]
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-20
Anonymous (1 replies)
Anonymous (1 replies)
Actually, it's more like sending a letter to everyone renting a room in the boarding house where the deadbolt on the front door is installed backward and requires people inside to use a key but is open for anyone outside to walk in....
[ more ] [ reply ]
[ more ] [ reply ]
(shrug) - he had it coming.
2003-08-26
Anonymous
Anonymous
I'm sure there is more to this guy's departure from his employer than it says here.
Noentheless, there are professional (and legal) ways of notifying people about problems. What this guy did was malicious and caused disruption for which the business could, at the very least, sue for compensation....
[ more ] [ reply ]
Noentheless, there are professional (and legal) ways of notifying people about problems. What this guy did was malicious and caused disruption for which the business could, at the very least, sue for compensation....
[ more ] [ reply ]
Re: (shrug) - he had it coming.
2008-02-12
Anonymous
Anonymous
If I remember correctly, McDanel's also signed each of us up for all the rag magazines at the time, in which we received hundreds of emails per person. I understand that is denial of service, in which he wasn't tried for, but based on your article, you make him look like a saint.
Does anyone kno...
[ more ] [ reply ]
Does anyone kno...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (5 replies)
Anonymous (5 replies)
This guy got what he deserved. freedom of information, computer laws etc weren't put in place to protect people with a basic grudge against a former employee. Did the company display bad ethics..sure. But that doesn't excuse his poor judgement and using information he learned while working for the ...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (2 replies)
Anonymous (2 replies)
This is an interesting story. My condolences to McDanel. As a Security Specialist myself I must say that LAW itself is convoluted. From what I gather so far, it seems the other two posers here feel the guy got what he deserved. Naive to say the least.
Let's look at this issue from the standpo...
[ more ] [ reply ]
Let's look at this issue from the standpo...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower - Wakeup
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
Um...Not quite.
Ok, you're the Security Specialist. We all appreciate that you're trying to do your job. However, there "should be" company policies and procedures on what to do if something like this is found.
In the case that there are no policies or procedures it is up to you, the Secur...
[ more ] [ reply ]
Ok, you're the Security Specialist. We all appreciate that you're trying to do your job. However, there "should be" company policies and procedures on what to do if something like this is found.
In the case that there are no policies or procedures it is up to you, the Secur...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower - Wakeup
2003-08-29
Anonymous
Anonymous
In other words, duck ethical responsibility to cover your a**. Let the lawyers and congress be damned for writing a law that can imprison *anyone* for revealing information that could result in public damage, including terrorism! All legal wh***s go to h*** including the writer of this article who s...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (2 replies)
Anonymous (2 replies)
The first ammendment was put in place EXACTLY for that reason! It almost sounds like you would rather live in a dictatorship where you aren't allowed to say anything negative -- for security reasons....
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Anonymous
Anonymous
Nor do three wrongs.
Congratulations, by the way . . .
for missing the entire point of the article. This guy may well have been a jerk who "got what was coming to him", but that's not the issue. The issue is that the California justice system bastardized existing digital information laws to pr...
[ more ] [ reply ]
Congratulations, by the way . . .
for missing the entire point of the article. This guy may well have been a jerk who "got what was coming to him", but that's not the issue. The issue is that the California justice system bastardized existing digital information laws to pr...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
Uh, did you guys read the same story I did? He did NOT break in through the hole that he discovered (and tried to get Tornado to fix). He sent Email warning the customers of the vulnerability.
That seems to be a pretty freaking reasonable facsimile of "responsible disclosure" to me: tell the compa...
[ more ] [ reply ]
That seems to be a pretty freaking reasonable facsimile of "responsible disclosure" to me: tell the compa...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (2 replies)
Anonymous (2 replies)
Ah, but how did he get the e-mail address of *every single Tornado customer*?? It's not like there's a generic "send-to-everyone" alias for just this purpose....
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
Um I hate to tell you, dear previous poster, but you are very ignorant in the way most corporate emails work. You don't HAVE to break in and get every email on a list to email everyone. If you actually had any semblance of a clue of how things work in the business world, there IS in fact usually a m...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-20
Drg (1 replies)
Drg (1 replies)
wtf is wrong with you, re-read the story. he *STAGGERED* the emails to prevent DoS.. which clearly means he COULDN'T USE ANY ALIASES.. he HAD to have a list.
How about before you post and take the piss out of someone next time, you actually read the story....
[ more ] [ reply ]
How about before you post and take the piss out of someone next time, you actually read the story....
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-22
Anonymous
Anonymous
All of this claptrap about where and how he obtained the email addresses would be very interesting... IF that had been what he was prosecuted for. But it wasn't. He was prosecuted and convicted and jailed for making public a vulnerability in a system to the people affected by that vulnerability. ...
[ more ] [ reply ]
[ more ] [ reply ]
The good, the bad and the ugly.
2003-08-18
Mabrick (2 replies)
Mabrick (2 replies)
The good thing about this is that the security vulnerability was fixed. I am sure that the remainng customers feel good about this.
The bad was that this fellow had an axe to grind against his former employer and used his expertise to fulfill his vendetta.
The ugly is that the employer would h...
[ more ] [ reply ]
The bad was that this fellow had an axe to grind against his former employer and used his expertise to fulfill his vendetta.
The ugly is that the employer would h...
[ more ] [ reply ]
The good, the bad and the ugly.
2003-08-18
Elc0chin0 (1 replies)
Elc0chin0 (1 replies)
For you youngsters out there pretending to be InfoSecurity people let me shed some light on the subject here regarding the responsibility of the provider.
Years ago an incident occurred regarding a birth control pill. Which was discovered to have serious side effects. (i.e. birth defects) The ...
[ more ] [ reply ]
Years ago an incident occurred regarding a birth control pill. Which was discovered to have serious side effects. (i.e. birth defects) The ...
[ more ] [ reply ]
The good, the bad and the ugly.
2003-08-19
Anonymous (1 replies)
The reality is that no for-profit company holds its customer's best interest in the highest regard. The customer's best interest are a means to the primary purpose, which is to provide profit or value to its owners or shareholders.
A corporate CEO is not accountable to customers, he/she is acc...
[ more ] [ reply ]
Anonymous (1 replies)
The reality is that no for-profit company holds its customer's best interest in the highest regard. The customer's best interest are a means to the primary purpose, which is to provide profit or value to its owners or shareholders.
A corporate CEO is not accountable to customers, he/she is acc...
[ more ] [ reply ]
The good, the bad and the ugly.
2003-08-25
Tomdaq
Tomdaq
I agree that McDanel's response was justified. In fact I believe he had an obligation to take some sort of action that would lead to improved customer privacy. Tornado is definitely obligated to do so according to California state law. Furthermore, to assume McDanel stole an email list from Torna...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous
Anonymous
"You wouldn't go break into someone's house just to tell each member of the family just how insecure Daddy's deadbolt installation was, would you? "
In what way did he "break into someone's house"? It seems like a more accurate comparison would be that he called the members of the household on t...
[ more ] [ reply ]
In what way did he "break into someone's house"? It seems like a more accurate comparison would be that he called the members of the household on t...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
TomV
TomV
Gee, does this mean that we can expect to see Homeland officials in Jail for speaking about airline security? This decision is a direct slap at the entire Federal Wistle Blower Program. I guess we can all just shut up and watch the nations system go to hell, just like our economy and government. Any...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (8 replies)
Anonymous (8 replies)
he should have no said a thing but to the company.
it is a customer's fault if they place their trust in a faulty company and/or product(s).
i mean would you run around telling people about all the bad things they buy at supermarkets or not to drink?
he told the company. he went over the l...
[ more ] [ reply ]
it is a customer's fault if they place their trust in a faulty company and/or product(s).
i mean would you run around telling people about all the bad things they buy at supermarkets or not to drink?
he told the company. he went over the l...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Chris Humphries (3 replies)
Chris Humphries (3 replies)
free speech is one thing, free speech targetted is another can be an attack. especially if targetted _solely_ at a business's customers.
posting security information publically is one thing, posting security information directly to customers of a business where loss of business will be effected i...
[ more ] [ reply ]
posting security information publically is one thing, posting security information directly to customers of a business where loss of business will be effected i...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
The Big Mac
The Big Mac
Gee guys I guess we better round up those terrorists at consumer reports. everyday the publish information that hurts businesses.
Simple fact is if the information was false its a civil matter (libel or slander its to late for me to remember which is which) but it was true!! Would you expect me ...
[ more ] [ reply ]
Simple fact is if the information was false its a civil matter (libel or slander its to late for me to remember which is which) but it was true!! Would you expect me ...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Judith (1 replies)
Judith (1 replies)
Whether he should have been prosecuted or not is moot when compared to the ramifications of the case. This new interpretation of the law could possibly be used to prosecute people who post bugs and vulnerabilities to forums like Bugtraq. That's the problem here. That's the danger. And that's what w...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-20
Elc0chin0
Elc0chin0
Ahhhh Judith, you speak too wise. Your prophetic words waft at a level most of the insipid will find difficult to grasp. Including, sad to say the judge in this case. He probably brings work in from his home computer plagued with the latest worm and sets off to infect the entire judicial system. ...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-21
Morosoph
Morosoph
Knowledge with proof that a product is defective is not the same as slandering or libelling someone's good character or a company's trustworthiness, for the difference is in the proof. This is clearly protected free speech.
It's not reasonable to say that he acted harmfully to the company and so...
[ more ] [ reply ]
It's not reasonable to say that he acted harmfully to the company and so...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Steve.
Steve.
Are you completely stupid?
If I buy a car from company x, if that car has a serious defect, and the company knew about it - but did nothing - it is the companies fault for knowingly selling a fault product.
Say I buy email hosting from company z, if they know that their email is insecure, yet ...
[ more ] [ reply ]
If I buy a car from company x, if that car has a serious defect, and the company knew about it - but did nothing - it is the companies fault for knowingly selling a fault product.
Say I buy email hosting from company z, if they know that their email is insecure, yet ...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous
Anonymous
Read the article nimrod.
--------------- snip ---------------
However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session
(snip)
Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons...
[ more ] [ reply ]
--------------- snip ---------------
However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session
(snip)
Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons...
[ more ] [ reply ]
The Sad Tale of Unthinking Knee-Jerking
2003-08-18
Anonymous
Anonymous
Another Anonymous wrote:
"it is a customer's fault if they place their trust in a faulty company and/or product(s)."
This begs the question: if a company's customer cannot learn about the defects of the product they are using, how are they supposed to know what they can trust?
...
[ more ] [ reply ]
"it is a customer's fault if they place their trust in a faulty company and/or product(s)."
This begs the question: if a company's customer cannot learn about the defects of the product they are using, how are they supposed to know what they can trust?
...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous
Anonymous
Reading your post, I'm picturing you as the 'pointy haired boss' type. Only some moron in management would have such a horrible attitude towards this topic. You say it's the customers' fault for for trusting a faulty company. How can the customers know if the company is fualty. Especially if the...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous
Anonymous
What a fascinating concept - Let the buyer beware! So you honestly believe and hope that, if a company advertises a product as being one thing, knowing it is not true, it's the customers fault if they're stupid enough to believe them.
Well, we can just disband all those silly Agencies now - the F...
[ more ] [ reply ]
Well, we can just disband all those silly Agencies now - the F...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-21
Anonymous
Anonymous
Companies that produce dodgy products are _meant_ to go to the wall! The marketplace works insofar as it does because it's a mechanism of information tranfer: the entrprise is accoutable for its actions. Looking to the social welfare of the workers means that the company is never held accountable...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Bob Radvanovsky (3 replies)
Bob Radvanovsky (3 replies)
This case is clearly stretching any liability issues (that may exist) in a very weak attempt of "finger pointing". To think like typical management, management wants "quick fixes" -- one in which there is an easy solution to an otherwise diasterously ugly situation. This is one is no different.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
since U.S. corporations WILL NOT / CAN NOT / SHALL NOT do anything OTHER than "spin-doctor" their reasons for NOT fixing the problem(s), partially because of the overwhelming bureaucracies and politics within their organizational structures, OR from the perspective that their stocks/bonds will go d...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-20
Leif Ericksen
Leif Ericksen
3 monkeys you completely missed the point of what Mr Radvanovsky said.
From what I have read he is saying that you bring to light a security issue and copmanies deny it and come up with some reason for why you are wrong and thier networks are indeed 'secure and hacker proof'
--lhe...
[ more ] [ reply ]
From what I have read he is saying that you bring to light a security issue and copmanies deny it and come up with some reason for why you are wrong and thier networks are indeed 'secure and hacker proof'
--lhe...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Elc0chin0 (2 replies)
Elc0chin0 (2 replies)
Bob, you're either a politician protecting someone else, a student who had to write a paper on the subject of rhetoric or a journalist for FOX. You've managed to write out 5 minutes of blablabla and say absolutely nothing.
But thanks for the input....
[ more ] [ reply ]
But thanks for the input....
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Bob Radvanovsky
Bob Radvanovsky
No, I am neither a politician (attempting to hide anything), nor am a student writing their thesis. I am an "Average Joe" who works in the trenches of IT (more specifically, IT in healthcare) EVERYDAY. I encounter my fair share of "spin-doctoring" from management here, as well as from fellow colle...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-20
Leif Ericksen
Leif Ericksen
Mr Radvanovsky,
I would have to agee with you on your points that copanies do not want to admit that there is a probelem. However, I would say that it is not all of them but MANY, at worst approacing most of them.
I have seen and heard companies go we have no problem when confronted with a pr...
[ more ] [ reply ]
I would have to agee with you on your points that copanies do not want to admit that there is a probelem. However, I would say that it is not all of them but MANY, at worst approacing most of them.
I have seen and heard companies go we have no problem when confronted with a pr...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
John Poindexter (1 replies)
John Poindexter (1 replies)
This man is cleary a terrorist and should have had a longer jail term. Thank God and Praise Jesus we have a strong man leading the Justice Department. He'll have the rest of you "freedom" loving hippies behind bars soon enough. Then the rest of us will be free. Free to do as we're told. Free to not ...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
The Sad Tale of a Security Whistleblower
2003-08-18
Anonymous (1 replies)
Anonymous (1 replies)
Put your self in a position of a customer.
Let's say the company you signed up for stored your private information like credit card numbers; Wouldn't you want to be notified by someone that the company's system has a bug that can affect you as a customer? Wouldn't you want to know that the compan...
[ more ] [ reply ]
Let's say the company you signed up for stored your private information like credit card numbers; Wouldn't you want to be notified by someone that the company's system has a bug that can affect you as a customer? Wouldn't you want to know that the compan...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
jofny
jofny
I think most of these posts are missing two key points. 1: Whether or not he did "the right thing", did he in fact violate the law by causing damage or in any way hinder the functioning of the network? 2: Did he have some sort of view of the system that the general public did not have?
The system...
[ more ] [ reply ]
The system...
[ more ] [ reply ]
It might have been better to talk to the press.
2003-08-18
Anonymous (2 replies)
Anonymous (2 replies)
If, instead of disclosing the vulnerability, he had simply stated publicly that a vulerability existed, that he had told management about it, and that they had done nothing to address it, then he would have discharged his moral obligation, IMHO.
In any event, I can't see any justification for pro...
[ more ] [ reply ]
In any event, I can't see any justification for pro...
[ more ] [ reply ]
It might have been better to talk to the press.
2003-08-19
Bob Radvanovsky (1 replies)
Bob Radvanovsky (1 replies)
I agree that a much better method is to state that vulnerabilities *may* exist within their given system without mentioning specific details; however, many companies of today still DO NOT want to hear that their "sky is falling down" upon them. In most cases, it is (unfortunate, but sadly becoming ...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Ashamed US Citizen
Ashamed US Citizen
Even more sadly, it's becoming an all-too-common tale. RIAA, DirecTV, BSA, now Tornado Development, Inc. The list goes on...
The current political administration obviously favour their big-business campaign contributors over the lowly voter. Why shouldn't they - they've successfully decided the ...
[ more ] [ reply ]
The current political administration obviously favour their big-business campaign contributors over the lowly voter. Why shouldn't they - they've successfully decided the ...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
aXe-2-gRiND
aXe-2-gRiND
This is one of the most rediculous things I have ever heard of. Not the report itself, which is quite good, but the situation.
Under the same logic, we must now scream for the presecution of the producers of TV shows such as COPS, magazines such as Consumer Reports, Web sites such as Epinions.co...
[ more ] [ reply ]
Under the same logic, we must now scream for the presecution of the producers of TV shows such as COPS, magazines such as Consumer Reports, Web sites such as Epinions.co...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Anonymous
Anonymous
This is not like he broke into a house to tell them the locks did not work. This is more like he told the locksmith who installed them that the locks were not secure and then told all his customers when he did nothing.
The speech should be protected by the 1st ammendment even if a large portion o...
[ more ] [ reply ]
The speech should be protected by the 1st ammendment even if a large portion o...
[ more ] [ reply ]
I was there when this happened
2003-08-19
Anonymous (3 replies)
Anonymous (3 replies)
I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasu...
[ more ] [ reply ]
[ more ] [ reply ]
I was there when this happened
2003-08-27
SCamerone
Just had to respond to this one. Maybe it's my mood today. Apologies up-front.
>I can confirm that Bret McDanel is no hero.
>He's actually quite an asshole.
>The kind of guy who spits out a nasty
>insult about reading the man page
That is what my gut told me. However, maybe it's your envi...
[ more ] [ reply ]
SCamerone
Just had to respond to this one. Maybe it's my mood today. Apologies up-front.
>I can confirm that Bret McDanel is no hero.
>He's actually quite an asshole.
>The kind of guy who spits out a nasty
>insult about reading the man page
That is what my gut told me. However, maybe it's your envi...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Jerry Westrick
Jerry Westrick
Microsoft Published info about a security hole a couple of weeks ago.
That security hole was used by the msblast worm.
The worm did calculable damage...
Why doesn't California go after Billy?
I mean it's obvious that M$ did intend for hackers to exploit the hole, just as it is obvious th...
[ more ] [ reply ]
That security hole was used by the msblast worm.
The worm did calculable damage...
Why doesn't California go after Billy?
I mean it's obvious that M$ did intend for hackers to exploit the hole, just as it is obvious th...
[ more ] [ reply ]
Idiot
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
What kind of idiot hacks to get his point across and then links it directly to his site? Of course he had it coming. You don't hack into some system to show that you can hack into it and then just expect to get off scott free. If they let this guy go then any pimply faced teenage trench coat mafi...
[ more ] [ reply ]
[ more ] [ reply ]
How To Properly Send Security Flaw Alerts
2003-08-19
Anonymous
Anonymous
Well, it seems that maybe all security flaws should just be published in less than reputable sites and zines for the interested parties to find.
Then the folks with the systems with problems and their customers will find out about the problem, soon enough. ;)
If the legal system wishes to pun...
[ more ] [ reply ]
Then the folks with the systems with problems and their customers will find out about the problem, soon enough. ;)
If the legal system wishes to pun...
[ more ] [ reply ]
Read it yourself.
2003-08-19
Anonymous
Anonymous
There is a lot that you people are not seeing here. Read the actual indictment and the appeal filed by Jennifer Granick. He did cause damage, he did it maliciously, he continued doing it after he knew he was causing damage and he has a history of this type of behavior.
It's all there people. Befor...
[ more ] [ reply ]
It's all there people. Befor...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower or How to cover your corporate @$$ when sweeping a problem under the rug
2003-08-19
Ashaman (1 replies)
Ashaman (1 replies)
let's look at how he attempted to call attention to this issue:
1-when he discovered the issue, he went to his employer to try to have them correct it. when they did not, he left the company "McDanel severed his employment with them, and went to work for another company." not fired, not "invited ...
[ more ] [ reply ]
1-when he discovered the issue, he went to his employer to try to have them correct it. when they did not, he left the company "McDanel severed his employment with them, and went to work for another company." not fired, not "invited ...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower or How to cover your corporate @$$ when sweeping a problem under the rug
2003-08-19
Elc0chin0 (1 replies)
Elc0chin0 (1 replies)
FYI - I'm a member of the local ISSA chapter and on the BOD.
I brought this issue up at our meeting today. One of the folks at my table is a retired FBI agent who was head of the InfraGuard chapter locally. He too got a bit pissed when he read the article, he sided with the whisleblower.
I do...
[ more ] [ reply ]
I brought this issue up at our meeting today. One of the folks at my table is a retired FBI agent who was head of the InfraGuard chapter locally. He too got a bit pissed when he read the article, he sided with the whisleblower.
I do...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower or How to cover your corporate @$$ when sweeping a problem under the rug
2003-08-19
Ashaman (1 replies)
Ashaman (1 replies)
for the record, i consider myself a "knee-jerk" republican, but this case makes me sick. this is simply a case of a company abusing their position to silence a serious concern....
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower or How to cover your corporate @$$ when sweeping a problem under the rug
2003-08-20
Elc0chin0
Elc0chin0
I wouldn't call you knee jerk. I probably wouldn't even recognize you as a republican unless we were at the beach and saw the elephant tatoo on your 'right' arm.
The point my FBI friend brought out, which I thought was interesting was that this doesn't look good in the eyes of the 'hacker' world...
[ more ] [ reply ]
The point my FBI friend brought out, which I thought was interesting was that this doesn't look good in the eyes of the 'hacker' world...
[ more ] [ reply ]
Just where he has got the email addresses from?
2003-08-19
Anonymous (1 replies)
Anonymous (1 replies)
The article seems to be very suspicios in not bringing enough details forward.
This 5600 email addresses, the guy used, where did they come from? I suppose he knew them because of his previous employment at the company in question. Than, he has certainly signed some kind of contract prohibiting ...
[ more ] [ reply ]
This 5600 email addresses, the guy used, where did they come from? I suppose he knew them because of his previous employment at the company in question. Than, he has certainly signed some kind of contract prohibiting ...
[ more ] [ reply ]
Just where he has got the email addresses from?
2003-08-19
Anonymous (3 replies)
Anonymous (3 replies)
He could have just googled for them. I doubt it, but it should be innocent until proven guilty.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
blacklight
blacklight
The Sad Tale of a Security Whistleblower fulfills all three criteria: (1) crucifying the messenger is an effective method of distracting everyone away from reading the message; (2) marginalize the dissenting voice and if that voice is right, punish it for being right; (3) no good deed goes unpunishe...
[ more ] [ reply ]
[ more ] [ reply ]
Rebel Without a Cause
2003-08-19
The Resonating Oscillator (3 replies)
The Resonating Oscillator (3 replies)
#1 The code was probably proprietary and the company in question had every right to take its time and dedicate the time and resources needed to fix the bugs. He cannot prioritize on behalf of the company.
#2 As an employee, he cannot make the decisions of notifying customers, it has to come from ...
[ more ] [ reply ]
#2 As an employee, he cannot make the decisions of notifying customers, it has to come from ...
[ more ] [ reply ]
Rebel Without a Cause
2003-08-20
Anonymous
Anonymous
Too easy.... Man I hope you never become a judge. 16 months in jail is too easy. Well I guess everyone's entitled to it's own opinion but I'd say that at most, that is if the judge tought the guy needed to be punished, community computer related services would have been harsh enough... this is a b...
[ more ] [ reply ]
[ more ] [ reply ]
The Government has gone too far.
2003-08-19
GWB (1 replies)
GWB (1 replies)
People,
If we don't get enough people together through editorials or online forums to voice their opinion on the idiocy of this behavior, then we all will be responsible for our Government's actions.
The more we let the RIAA, MPAA, Etc dictate what we can & can't use a computer for, we will be...
[ more ] [ reply ]
If we don't get enough people together through editorials or online forums to voice their opinion on the idiocy of this behavior, then we all will be responsible for our Government's actions.
The more we let the RIAA, MPAA, Etc dictate what we can & can't use a computer for, we will be...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-19
Anonymous (2 replies)
Anonymous (2 replies)
Is there any agency in the US that deals with the description of goods/services supplied to a customer. Would it be possible to encourage the company to fix the hole by informing them that the company was wrongly describing it's service as "secure"....
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-20
Bob Radvanovsky
Bob Radvanovsky
Actually -- there are several areas which might be checked. The best that I can determine is the U.S. Code, Title 15, as listed (in its entirety) at Cornell University's Law School.
URL: http://www4.law.cornell.edu/uscode/15/
From what I've searched, for services rendered, it's kind of a "gre...
[ more ] [ reply ]
URL: http://www4.law.cornell.edu/uscode/15/
From what I've searched, for services rendered, it's kind of a "gre...
[ more ] [ reply ]
Much thanks to a brave individual!!
2003-08-20
Gary
Gary
Most likely this person know that there would be repercussions for his action but took them any way when the company did not fix the security flaw, and as the article stated submitting it to a bug tracking site or news group would have been completely in the wrong. I would be grateful to an employee...
[ more ] [ reply ]
[ more ] [ reply ]
What about Cali's New Law?
2003-08-20
Nick Jacobsen (1 replies)
Nick Jacobsen (1 replies)
I ma curious how california's new law regarding notifing customers of security breaches would affect this case, if the case had happend today, instead of a year ago. It seems to me that the company would then be liable to it's customers for not fixing it - and the company would be facing fines and ...
[ more ] [ reply ]
[ more ] [ reply ]
What about Cali's New Law?
2003-08-21
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
The California law applies to BREACHES that expose personal information, not vulnerabilities. Since there was no evidence that the vulnerability was ever exploited by ANYONE, the California law would not apply to Tornado.
He got the email addresses because the naming protocol was something lik...
[ more ] [ reply ]
He got the email addresses because the naming protocol was something lik...
[ more ] [ reply ]
What about Cali's New Law?
2003-08-22
Elc0chin0
Elc0chin0
It almost looks as if the law is after the fact. In other words, if the issue or potential exploit had been discovered (internally) then it has not been "exploited" to reveal "personal" information.
So the law is post mortem after the body has been buried and dead and re-born and dead again. Th...
[ more ] [ reply ]
So the law is post mortem after the body has been buried and dead and re-born and dead again. Th...
[ more ] [ reply ]
Discrepancies
2003-08-20
Kat (1 replies)
Kat (1 replies)
In looking online at other articles about this case, he was charged with sending 14,000 messages to the mail server with malicious intent (he wanted to bring down the server) at a rate of 30 emails per second. In this article, he says that it was signicantly fewer emails and spread out over a 3 day...
[ more ] [ reply ]
[ more ] [ reply ]
Discrepancies
2003-08-21
Elc0chin0
Elc0chin0
Although the other articles point out a more sided point of view by seemingly overstating the issues the case on-line states the number was only 5600 e-mails sent over three days which amounts to about 1866 e-mails per day.
The SoBig worm was sending out 25 e-mail per machine per minute. We have...
[ more ] [ reply ]
The SoBig worm was sending out 25 e-mail per machine per minute. We have...
[ more ] [ reply ]
Why does Mark Rasch lie about his past jobs?
2003-08-20
One who knows (2 replies)
One who knows (2 replies)
Despite the tag at the end of Rasch's column, he was NEVER the head of the DOJ Computer Crime Unit. In fact, Rasch was never even in the unit (he was in the Fraud Section). The unit chief during Rasch's time at DOJ was Scott Charney.
To give him his props, Rasch did prosecute RTM, but he was ne...
[ more ] [ reply ]
To give him his props, Rasch did prosecute RTM, but he was ne...
[ more ] [ reply ]
Why does Mark Rasch lie about his past jobs?
2003-08-25
At The Bow's End
At The Bow's End
It is a tough life being a relative celebrity. Some people admire those that have achieved something, while others take their success as an insult to their own abilities - sad fact of life.
Computer Crime and Fraud tie into one another, and if you've ever worked for a company of more than 50 empl...
[ more ] [ reply ]
Computer Crime and Fraud tie into one another, and if you've ever worked for a company of more than 50 empl...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-22
Anonymous
Anonymous
He should have kept quite and let the users suffer. Or he can open his mouth and go to jail. Nice choices.
I believe he should in first place let the users suffer and let them sued Tornado's ass off since he no longer works for them. Why bother be kind and get jailed for it.
If he had known he...
[ more ] [ reply ]
I believe he should in first place let the users suffer and let them sued Tornado's ass off since he no longer works for them. Why bother be kind and get jailed for it.
If he had known he...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-22
Anonymous (1 replies)
Anonymous (1 replies)
http://www.usdoj.gov/criminal/cybercrime/mcdanelSent.htm
this also lines up with all the (CA) news sources I read at the time of the incident, that they prosecuted based on spamming laws.
His motivation was that he was starting up a competing service. If you knew him (as penguinisto just might...
[ more ] [ reply ]
this also lines up with all the (CA) news sources I read at the time of the incident, that they prosecuted based on spamming laws.
His motivation was that he was starting up a competing service. If you knew him (as penguinisto just might...
[ more ] [ reply ]
Factual References
2003-08-26
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
For factual references, please see the Appellant's brief which can be found at
http://cyberlaw.stanford.edu/about/cases/united_states_of_am
erica_.shtml
The government used BOTH theories -- that McDanel's emails themselves damaged Tornado's servers (a spam DOS theory) and that the CONTENT of the...
[ more ] [ reply ]
http://cyberlaw.stanford.edu/about/cases/united_states_of_am
erica_.shtml
The government used BOTH theories -- that McDanel's emails themselves damaged Tornado's servers (a spam DOS theory) and that the CONTENT of the...
[ more ] [ reply ]
Factual References
2003-08-26
Bob Radvanovsky
Bob Radvanovsky
To clarify, I did some reading of the 18 USC 1030 section and found the the defintion which contained the phrase "impairment of integrity". The phrase "impairment of integrity" was referring to the definition of "damage" -- see USC Title 18, Part I, Chapter 47, Section 1030, Subsection (a)(8), in t...
[ more ] [ reply ]
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-25
Anonymous
Anonymous
He says in the article that Congress should specify what exactly is breaking the law when it comes to "integrity". I have to laugh, over half the individuals in congress have been there longer then computers have been in everyones house hold and barely know what a mouse is about.
Someone needs t...
[ more ] [ reply ]
Someone needs t...
[ more ] [ reply ]
The Sad Tale of a Security Whistleblower
2003-08-28
Anonymous
Anonymous
Maybe the guy was a complete ass, but this is beside the point.
Why didn't the company fix its problems once they were pointed out?
Who is to prosecute wilfully negligent companies like this one?
How can a consumer beware if s/he is denied access to information by the government who represe...
[ more ] [ reply ]
Why didn't the company fix its problems once they were pointed out?
Who is to prosecute wilfully negligent companies like this one?
How can a consumer beware if s/he is denied access to information by the government who represe...
[ more ] [ reply ]
Blame Hollywood!
2003-08-28
Anonymous
Anonymous
As overly broad as this interpretation is, particularly in this case, one could just as easily argue that Hollywood is responsible for [insert violent crime of your choice here].
Hell... I myself could go to jail for the following:
1. Acquire firearm
2. Insert ammunition
3. Point firearm in th...
[ more ] [ reply ]
Hell... I myself could go to jail for the following:
1. Acquire firearm
2. Insert ammunition
3. Point firearm in th...
[ more ] [ reply ]
FWIW, if I were this guy, I'd just post the vuln and its explanation to Bugtraq and similar lists, and be sure to name names. If that didn't shame Torn...
[ more ] [ reply ]