I looked into some of the exhibits filed in the appeal, one caught my eye. exhibit 27, page 383. Transcripts from Mr. Matz (prosecutor) trying to define the statute (it was poorly written and this is not the first case to argue what it means, pesky dangling participle at the end).

Mr. Matz position is that the transmission has to be authorized, not the damage. He also believes that if you put a web page up, and the content isn't approved by someone then it is unauthorized. In this case it was the security vunerability on a web page.

He said:

"The best example I htink of that kind of damage to computers other than Mako would be the evidence that the type of damage that the government has called more longer term damage in this case. And that would be essentially the integrity related damage which stems from the publication by the defendant of this NID related bug."

He then goes on about how contracts that never panned out by Global Crossing (gee right before they went bankrupt they dont spend a bunch of money.. Hmm) should be counted as damage. Further, there is damage to anyone that uses their software even if nothing was sent to those computers, or talked about those computers.

Under that logic if a person posts a flaw about Microsoft products then they could be facing billions in damages (which would easily get you 10 years, look at http://www.ussc.gov/ section 2B1.1)!!!

To quote more (p384):

Mr. Matz: "And the type of damage defendant caused in relation to the NID was the publication of this bug and the correspondent drop in the security and EVEN MORE IMPORTANT PERHAPS, THE PERCEPTION BY CONSUMERS THAT THEIR WAS A LACK OF SECURITY.

All of those problems existed as soon as he published the existence of this bug. And they existed not only vis-a-vis Tornado and Tornado employees and the Tornado Mako computers, but all companies that either had already bought the software or were CONSIDERING BUYING THE SOFTWARE IN THE FUTURE. And it may infact be that those other company's computers were, in fact, protected computers." (emphasis added).

Note: protected computers is a term of art in the statute to mean any computer that does commerce (interstate/foreign) to/from a US based computer.

This means that they are saying that damage not only includes the people that buy and use the software now (not just the company that wrote it but the people that bought it and use it!!) but PEOPLE IN THE FUTURE WHO *MIGHT* BUY IT.

The Government makes the same argument later saying "The intent that the government has proven is that he was trying to cause economic disruption to Tornado is another way to look at it, both of the availability of their system and also MORE IMPORTANTLY, the security of their of system." (emphasis added, yes he said 'of their of system' :)

So impairing the integrity by posting security advisories is more important to the government than other acts. They need to lose on the appeal and stop this line before it gets worse. One person to go to jail over this is more than enough, if this conviction is upheld then they will indict left and right!! They can go back for 5 years (that is the statute of limitations for 18 uSC 1030) for the posts! They can get people in all countries (and conspiracy charges for groups/companies that posted) as long as there is a system in the US (or does commerce with the US).

I want to see them indict the people at nipc.gov and dhs.gov for posting security info on the web!! :)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6643/21252#21252