Point Out A Security Vulnerability, Go To Jail

from the the-anti-whistleblowing-culture dept

Last year, Time’s “People of the Year” were three whistleblowers who brought attention to the various corporate scandals. While the government keeps saying it’s important for those who know about corporate scams to blow the whistle, the same apparently does not apply for technology vulnerabilities. Blowing the the whistle on security vulnerabilities can be considered a felony for which you can serve time in jail. The article describes the case of a guy working at an ISP who revealed a security hole in their webmail application, which he reported to management. Management did nothing about it, and the guy eventually left to work elsewhere. A few months later, after determining that the security hole was still open he spammed all of their customers to tell them about the hole. Now, his method was not particularly smart, but he wasn’t sued for spamming. He was charged with a felony for “impairing the integrity” of a network, and spent 16 months in jail. This is, of course, ridiculous – because it wasn’t he who impaired the integrity of the network, but those who, upon being alerted, refused to fix it.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Point Out A Security Vulnerability, Go To Jail”

Subscribe: RSS Leave a comment
LittleW0lf says:

Security solely through obscurity

I agree that McDanel probably shouldn’t have done what he did, after all, sending SPAM is not a good idea. However the fact that he was arrested for exposing a hole in the system is rediculous. Then again, I myself was threatened several times with unemployment or civil/criminal prosecution for bugs I’ve discovered and published. Luckily, I outlived at least one of the companies who threatened me. This is unfortunately a common business practice for over litigious businesses who would rather save their “good” name than fix errors in their software.

The unfortunate thing is not that companies use lawsuits and law enforcement officers to hide security faults, but the fact that we, as customers, don’t demand more of the vendors. If we would stand up as a collective group and not support those companies who do this, the stupidity would stop. However, I find myself usually on the receiving end of anger and hatred for even mentioning that we should fight back, because most customers *want* to be sheep, and would much rather not care about security issues, and certainly would not want to stand up since obviously the company knows best.

Then again, if companies view me, a security researcher, as a thorn in their side for exposing vulnerabilities in their software, and they retaliate, like McDanel, I am ready to take the punishment too. Hopefully as more of these cases are exposed, more people will be aware of the stupidity, and more changes will occur.

WK says:


That is bogus. It is illegal to prosecute someone for revealing bugs and such. Revealing bugs and such is a right granted by the US constitution. The most important appendment, too, the first one.

There is no way that someone could in good faith find this practice of bug hunter hunting to be ethical or legal. No laws allow it. And don’t even think of mentioning the DMCA; that isn’t a law (it can’t be, as it doesn’t fit the required criteria), it is an abomination. The DMCA makes CAN-SPAM look like a rosy, positive solution.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »