No Good Deed…


SecurityFocus Columnist Mark Rasch relates the tale of Bret McDaniel, who had the temerity to inform clients of Tornado Development about a security hole that the company had failed to fix for a year, despite repeated notification, and despite bragging of their "secure" service. McDaniel was then sent to prison under federal law for exposing the security hole, despite the fact that it was never exploited. (Via Slashdot.)

NEXT: Free Soukh Economics

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. So, following this precident, I should get arreseted for telling my neighbor that leaving his door unlocked is insecure…

  2. What’s wrong with that? He was standing in the way of profits. It’s like modern-day union busting. You have to demoralize the opposition ruthlessly, elsewise they might think they can get somewhere by organizing.

    You have to stop them before they start. That’s why we have this GPL mess we have today. We still have a chance to get it invalidated, but it’s gonna be a tough and costly fight. McDaniel was in clear violation of the DMCA. He had to be made an example of.

  3. Larry-


    Of course, there’s plenty of culpability to go around…the main server was a Sun Enterprise 4500 with 4×450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado’s brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm’d. So, it was Bret’s fault for spamming us, but it was Tornado’s fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented?

    So that explains exactly how 14,000 e-mails can DOS a company.


    I didn’t say Tornado was innocent, but that it wasn’t clear-cut, or perhaps that it’s not black and white, little good guy versus big bad guy. McDaniel may be unofficially in trouble because he exposed hypocrisy, but mainly he’s being prosecuted for being an asshole and breaking laws–read up on the Randall Schwartz case for another example of how not to expose security flaws. The punishment didn’t fit the crime, there, either, but Randall was undoubtedly culpable.

    In short, if McDaniel had simply posted on some public bulletin boards about the insecurity of Tornado’s systems based on personal experience and never used their customer list nor specifics of how to exploit the flaws, he would likely be in no trouble now. However, it probably wouldn’t have had the same effect in attracting attention to the problem.

  4. Looks like this isn’t quite so clear cut:

    I can confirm that Bret McDanel is no hero. He’s actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him.

    Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS’ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days.

  5. Well, maybe the columnist got the story wrong, but he does deal explicitly with that issue:
    “It’s important to note that McDanel was prosecuted not for a denial of service attack against Tornado by an e-mail flood, but apparently because Tornado, and the government, were unhappy with the content of the e-mail message and associated webpage.”

  6. Okay, Sandy. What kind of shitty email server would conk out from a mere 14,000 emails. Do you really expect us to believe that? Were these 14,000 emails unexpectedly large or were they just a couple KB of text?

    If the emails were 2KB each, then 14,000 of them would take up, oh, 2 cents of hard disk space until the recipients deleted/downloaded them.

  7. The government admitted error in the prosecution of mcdanel for revealing the flaw, not for spamming. Their press release (and the post flagged as a troll on slashdot that was also cut and pasted to the new thread also marked as a troll saying it was for spamming is totally out of sync with what was filed).

    On Oct 14, 2003 the federal government filed a ‘confession of error’ in court for prosecuting McDanel on revealing a flaw to affected people so they could protect themsevles. Interesting that their press releases said it was for spamming, but what they filed in court (and if they get caught lying to the court that is a big nono, but lying to the public is aparently ok) said it was for revealing the flaw. Hmm….

Please to post comments

Comments are closed.