shanek
20th November 2003, 05:03 PM
This is excellent news! It's ridiculous that someone can be convicted of "cyber-crime" for simply demonstrating the flaws in a security system. He's just the messenger, people!
I'm sure all the guys at SecurityFocus, CERT, etc. are all breathing a collective sigh of relief.
http://news.zdnet.co.uk/internet/security/0,39020375,39117203,00.htm
US federal prosecutors have asked a court to overturn the conviction of a man who notified his former employer's customers of a security flaw
Federal prosecutors asked a San Francisco appeals court this week to reverse a computer-crime conviction that punished a California man for notifying a company's customers of a flaw in the company's email service.
The conviction stems from an incident in September 2000, when McDanel notified the customers of his former employer -- Tornado Development, which has since closed its doors -- that the company's Web-based email system had a flaw that could allow an attacker to gain access to a user's email. The prosecutors successfully argued that that act -- and the 5,600 emails sent to customers -- had essentially damaged Tornado's system.
Now, following an appeal by Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society, the US attorney's office for the Central District of California admits that the arguments should not have prevailed.
"The government concedes that the evidence did not establish an intent to 'damage' within the meaning of the statute (Computer Fraud and Abuse Act), and requests that this Court reverse the defendant's conviction," Ronald Cheng, assistant US attorney for the Central District of California, stated in the filing.
If the court agrees to overturn the conviction, it will remove a precedent that could have squelched the research of many security experts. The original conviction by US District Judge Lourdes G Baird determined that, by revealing a flaw in a system's security, a researcher could be accused of harming the system, a violation of computer crime laws. Cheng's statement acknowledges that such a reading should not be valid.
Rather than a criminal hacker bent on revenge, McDanel was an employee who voluntarily left Tornado to join another company, partially because the now-defunct company wouldn't deal with a security problem that he had flagged, Granick argued in the appeals-court filing. More than half a year after he left the company, McDanel used his valid account on the system to send a mass mailing to the company's customers, warning them of the flaw, she argued.
"This prosecution rode on the government's contention that McDanel was a 'hacker' with a criminal mind and a bone to pick against his former employer," Granick stated. "That bone was Tornado's refusal to fix identified security problems, and McDanel dealt with it by telling customers so that they could help themselves. This is not a crime."
The flaw highlighted by McDanel couldn't be considered confidential, because most security experts could easily spot it, Granick argued. A critical identifier that could allow access to a user's account was sent as part of the Web address in a browser, according to court documents. McDanel warned that a user that left the Tornado email system to go to another Web site would be giving the other site the "keys" to the user's online mailbox.
Granick pointed out that the technical issues of the case couldn't be sufficiently explored because McDanel was not allowed an expert witness to refute Tornado's testimony. For example, a witness who would have testified that 5,600 email messages wouldn't have an appreciable effect on any capable mail server was essentially silenced by a technicality and was only allowed to provide technical definitions. Moreover, the original defence attorney failed to give McDanel an opportunity to testify on his own behalf, Granick stated in the appeals-court filing.
Thom Mrozek, a spokesman for the US attorney's office for the Central District of California said that prosecutors rarely ask for a reversal. "It's pretty damn rare," he said. "I have never seen it happen."
I'm sure all the guys at SecurityFocus, CERT, etc. are all breathing a collective sigh of relief.
http://news.zdnet.co.uk/internet/security/0,39020375,39117203,00.htm
US federal prosecutors have asked a court to overturn the conviction of a man who notified his former employer's customers of a security flaw
Federal prosecutors asked a San Francisco appeals court this week to reverse a computer-crime conviction that punished a California man for notifying a company's customers of a flaw in the company's email service.
The conviction stems from an incident in September 2000, when McDanel notified the customers of his former employer -- Tornado Development, which has since closed its doors -- that the company's Web-based email system had a flaw that could allow an attacker to gain access to a user's email. The prosecutors successfully argued that that act -- and the 5,600 emails sent to customers -- had essentially damaged Tornado's system.
Now, following an appeal by Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society, the US attorney's office for the Central District of California admits that the arguments should not have prevailed.
"The government concedes that the evidence did not establish an intent to 'damage' within the meaning of the statute (Computer Fraud and Abuse Act), and requests that this Court reverse the defendant's conviction," Ronald Cheng, assistant US attorney for the Central District of California, stated in the filing.
If the court agrees to overturn the conviction, it will remove a precedent that could have squelched the research of many security experts. The original conviction by US District Judge Lourdes G Baird determined that, by revealing a flaw in a system's security, a researcher could be accused of harming the system, a violation of computer crime laws. Cheng's statement acknowledges that such a reading should not be valid.
Rather than a criminal hacker bent on revenge, McDanel was an employee who voluntarily left Tornado to join another company, partially because the now-defunct company wouldn't deal with a security problem that he had flagged, Granick argued in the appeals-court filing. More than half a year after he left the company, McDanel used his valid account on the system to send a mass mailing to the company's customers, warning them of the flaw, she argued.
"This prosecution rode on the government's contention that McDanel was a 'hacker' with a criminal mind and a bone to pick against his former employer," Granick stated. "That bone was Tornado's refusal to fix identified security problems, and McDanel dealt with it by telling customers so that they could help themselves. This is not a crime."
The flaw highlighted by McDanel couldn't be considered confidential, because most security experts could easily spot it, Granick argued. A critical identifier that could allow access to a user's account was sent as part of the Web address in a browser, according to court documents. McDanel warned that a user that left the Tornado email system to go to another Web site would be giving the other site the "keys" to the user's online mailbox.
Granick pointed out that the technical issues of the case couldn't be sufficiently explored because McDanel was not allowed an expert witness to refute Tornado's testimony. For example, a witness who would have testified that 5,600 email messages wouldn't have an appreciable effect on any capable mail server was essentially silenced by a technicality and was only allowed to provide technical definitions. Moreover, the original defence attorney failed to give McDanel an opportunity to testify on his own behalf, Granick stated in the appeals-court filing.
Thom Mrozek, a spokesman for the US attorney's office for the Central District of California said that prosecutors rarely ask for a reversal. "It's pretty damn rare," he said. "I have never seen it happen."