Point Out A Security Vulnerability, Go To Jail

from the the-anti-whistleblowing-culture dept

Last year, Time's "People of the Year" were three whistleblowers who brought attention to the various corporate scandals. While the government keeps saying it's important for those who know about corporate scams to blow the whistle, the same apparently does not apply for technology vulnerabilities. Blowing the the whistle on security vulnerabilities can be considered a felony for which you can serve time in jail. The article describes the case of a guy working at an ISP who revealed a security hole in their webmail application, which he reported to management. Management did nothing about it, and the guy eventually left to work elsewhere. A few months later, after determining that the security hole was still open he spammed all of their customers to tell them about the hole. Now, his method was not particularly smart, but he wasn't sued for spamming. He was charged with a felony for "impairing the integrity" of a network, and spent 16 months in jail. This is, of course, ridiculous - because it wasn't he who impaired the integrity of the network, but those who, upon being alerted, refused to fix it.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    LittleW0lf, 18 Aug 2003 @ 1:54pm

    Security solely through obscurity

    I agree that McDanel probably shouldn't have done what he did, after all, sending SPAM is not a good idea. However the fact that he was arrested for exposing a hole in the system is rediculous. Then again, I myself was threatened several times with unemployment or civil/criminal prosecution for bugs I've discovered and published. Luckily, I outlived at least one of the companies who threatened me. This is unfortunately a common business practice for over litigious businesses who would rather save their "good" name than fix errors in their software.

    The unfortunate thing is not that companies use lawsuits and law enforcement officers to hide security faults, but the fact that we, as customers, don't demand more of the vendors. If we would stand up as a collective group and not support those companies who do this, the stupidity would stop. However, I find myself usually on the receiving end of anger and hatred for even mentioning that we should fight back, because most customers *want* to be sheep, and would much rather not care about security issues, and certainly would not want to stand up since obviously the company knows best.

    Then again, if companies view me, a security researcher, as a thorn in their side for exposing vulnerabilities in their software, and they retaliate, like McDanel, I am ready to take the punishment too. Hopefully as more of these cases are exposed, more people will be aware of the stupidity, and more changes will occur.

    link to this | view in chronology ]

  • identicon
    WK, 17 Jul 2006 @ 10:59am

    Bad.....

    That is bogus. It is illegal to prosecute someone for revealing bugs and such. Revealing bugs and such is a right granted by the US constitution. The most important appendment, too, the first one.

    There is no way that someone could in good faith find this practice of bug hunter hunting to be ethical or legal. No laws allow it. And don't even think of mentioning the DMCA; that isn't a law (it can't be, as it doesn't fit the required criteria), it is an abomination. The DMCA makes CAN-SPAM look like a rosy, positive solution.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.