Point Out A Security Vulnerability, Go To Jail
from the the-anti-whistleblowing-culture dept
Last year, Time's "People of the Year" were three whistleblowers who brought attention to the various corporate scandals. While the government keeps saying it's important for those who know about corporate scams to blow the whistle, the same apparently does not apply for technology vulnerabilities. Blowing the the whistle on security vulnerabilities can be considered a felony for which you can serve time in jail. The article describes the case of a guy working at an ISP who revealed a security hole in their webmail application, which he reported to management. Management did nothing about it, and the guy eventually left to work elsewhere. A few months later, after determining that the security hole was still open he spammed all of their customers to tell them about the hole. Now, his method was not particularly smart, but he wasn't sued for spamming. He was charged with a felony for "impairing the integrity" of a network, and spent 16 months in jail. This is, of course, ridiculous - because it wasn't he who impaired the integrity of the network, but those who, upon being alerted, refused to fix it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Security solely through obscurity
The unfortunate thing is not that companies use lawsuits and law enforcement officers to hide security faults, but the fact that we, as customers, don't demand more of the vendors. If we would stand up as a collective group and not support those companies who do this, the stupidity would stop. However, I find myself usually on the receiving end of anger and hatred for even mentioning that we should fight back, because most customers *want* to be sheep, and would much rather not care about security issues, and certainly would not want to stand up since obviously the company knows best.
Then again, if companies view me, a security researcher, as a thorn in their side for exposing vulnerabilities in their software, and they retaliate, like McDanel, I am ready to take the punishment too. Hopefully as more of these cases are exposed, more people will be aware of the stupidity, and more changes will occur.
[ link to this | view in chronology ]
Bad.....
There is no way that someone could in good faith find this practice of bug hunter hunting to be ethical or legal. No laws allow it. And don't even think of mentioning the DMCA; that isn't a law (it can't be, as it doesn't fit the required criteria), it is an abomination. The DMCA makes CAN-SPAM look like a rosy, positive solution.
[ link to this | view in chronology ]