[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RE: [ISN] The sad tale of a security whistleblower
- To: "InfoSec News" <isn@c4i.org>, <isn@attrition.org>
- Subject: [Full-Disclosure] RE: [ISN] The sad tale of a security whistleblower
- From: "Jason Coombs" <jasonc@science.org>
- Date: Wed, 20 Aug 2003 09:10:07 -1000
This e-mail is in response to the following opinion article about the Bret
McDanel "Secret Squirrel" prosecution by Tornado Development, Inc.
> By Mark Rasch
> SecurityFocus
> Posted: 18/08/2003
> There is little doubt that what McDanel did was
> irresponsible and malicious.
Mark Rasch made a grave mistake when he came to the conclusion that McDanel's
"Secret Squirrel" e-mail to Tornado's customers was "irresponsible and
malicious". There is significant doubt that the act was malicious. As for
irresponsible, there is less doubt that McDanel's act was irresponsible --
McDanel should not have attempted to take the matter into his own hands by
communicating directly with Tornado's customers. He should have disclosed the
vulnerability in a public forum, instead.
> And posting the vulnerability to a newsgroup or security
> organisation, instead of the customers, would be a fruitless exercise
> unless he detailed the entity that was suffering from the hole, and
> then would-be attackers would know who to attack, and Tornado would be
> in a worse position.
Tornado would have been in a worse position but McDanel would have been in a
much better position. By attempting to communicate directly with affected
individuals through private correspondence, McDanel's act of disclosure became
something unusual. If not for the unusual nature of this communication, which
was outside the norm for information security research whose aim and goal is
to inform, educate, and find solutions to security problems, the prosecution
would have had a more difficult time pressing forward with the case. Even if a
trial did result, the jury would have been presented with a very different
scenario.
We can't know for sure that the verdict would have been different, of course,
but when I'm arrested and prosecuted for disclosing the details of a security
vulnerability, I personally want the jury to be forced to contemplate the fact
that convicting me is the same as convicting every single other honest
information security professional for doing our jobs and following a
reasonable standard of practice.
The slippery slope we should all be most concerned about is the one that
attempts to equate full disclosure with criminal activity. The slippery slope
in the McDanel case is a more conventional abuse of power, malicious
prosecution, and people and businesses who don't give proper consideration to
the civil liability they create for themselves when they attempt to interfere
with other people's rights and other people's opportunities to avail
themselves of the protections of law. The law was supposed to protect McDanel
in this circumstance and other people's practice of law and abuse of process
let him down.
But he should have known that posting the vulnerability to a public forum was
the right and proper course of action. Unfortunately, there are vocal people
and companies who try to conceal this truth in mumbo jumbo, and by so doing
gain additional power and legal leverage for themselves to the extent that
anyone else believes in it.
Sincerely,
Jason Coombs
jasonc@science.org
-----Original Message-----
From: owner-isn@attrition.org [mailto:owner-isn@attrition.org]On Behalf
Of InfoSec News
Sent: Tuesday, August 19, 2003 2:10 AM
To: isn@attrition.org
Subject: [ISN] The sad tale of a security whistleblower
http://www.theregister.co.uk/content/55/32381.html
By Mark Rasch
SecurityFocus
Posted: 18/08/2003
...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html