Announcement

Collapse
No announcement yet.

Chinese Businessman Jailed For Honesty!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by Spiffor

    As I've stated some months ago, the US is the least terrible superpower the world has ever known, and is probably better than the superpowers of the future as well.
    Gee, thanks!

    No, I did not steal that from somebody on Something Awful.

    Comment


    • #32
      I hear there is a list of about two dozen topics which if any reporter reports about he will find himself unemployed if not in the clinker. That smells of a police state to me. I'm sure they aren't as bad as when that murder Mao was running the show but it's still the same bunch of old men running the show.
      Try http://wordforge.net/index.php for discussion and debate.

      Comment


      • #33
        Originally posted by The Mad Monk
        Gee, thanks!
        Given the intensity of my hatred for previous superpowers, you shouldn't thank me too fast
        "I have been reading up on the universe and have come to the conclusion that the universe is a good thing." -- Dissident
        "I never had the need to have a boner." -- Dissident
        "I have never cut off my penis when I was upset over a girl." -- Dis

        Comment


        • #34
          Originally posted by mindseye
          Few Chinese would agree, not even perceptive, informed (western-educated) ones.
          Well of course. They'd be in jail otherwise. Points to the original post
          I make no bones about my moral support for [terrorist] organizations. - chegitz guevara
          For those who aspire to live in a high cost, high tax, big government place, our nation and the world offers plenty of options. Vermont, Canada and Venezuela all offer you the opportunity to live in the socialist, big government paradise you long for. –Senator Rubio

          Comment


          • #35
            I hear there is a list of about two dozen topics which if any reporter reports about he will find himself unemployed if not in the clinker.


            Many westerners believe this. You would be surprised at the reality of changing press freedom here. A growing number of smaller, for-profit papers are not directly controlled by the information ministry, their content is increasingly different from the mainstream press.

            I would point out, for instance, recent front-page criticisms of the #2 national health minister's public statements. At a press conference, he downplayed the role of the whistle-blower who spoke out about hidden SARS patients in Beijing. After a number of papers harshly criticised him (calling the whistle-blower a hero), he was forced to back-track.
            Official Homepage of the HiRes Graphics Patch for Civ2

            Comment


            • #36
              Originally posted by skywalker


              I agree entirely.

              I nominate you for "most agreeable liberal"
              We are going to have to take your liberal credentials away Spiff: you are seeling out to the man!


              On topic: if the issue were his political statements only, wound;t they have carted this guy away years ago? (since he has been outspoken v the system for a few years now) I agree with mindseye that his greatest "sin" was lowering the amount of money local pols. could syphon of the people.
              If you don't like reality, change it! me
              "Oh no! I am bested!" Drake
              "it is dangerous to be right when the government is wrong" Voltaire
              "Patriotism is a pernecious, psychopathic form of idiocy" George Bernard Shaw

              Comment


              • #37
                I'd have to say the problem here was that he was dealing too honestly with his customers -- hence the thread title.
                No, I did not steal that from somebody on Something Awful.

                Comment


                • #38
                  Re: Re: Chinese Businessman Jailed For Honesty!

                  Originally posted by DinoDoc
                  I wouldn't hold my breath.

                  * DinoDoc waits for UR to mention the US
                  Are you dead?

                  Here's your wish answered

                  The sad tale of a security whistleblower

                  Previous articles in this space have discussed whether security professionals can go to jail for doing things like demonstrating the insecurity of a wireless network, or conducting a throughput test on a system without permission. Now, a new and unwarranted extension of the US computer crime law shows that you can go to jail for simply telling potential victims that their data is vulnerable.

                  By explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist "impaired the integrity" of the affected network. It is now up to a federal appellate court to determine whether this interpretation of the law is to stand. If it does, it could mean a dramatic decline in postings to Bugtraq, CERT, or other public fora.

                  Bret McDanel was dissatisfied with his former employer, Tornado Development, Inc. Tornado provided Internet access and web-based email to its clients. However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session, grab the unique session ID and thereby read a user's email - despite the fact that the site promised that email was secure. Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons, undoubtedly), McDanel severed his employment with them, and went to work for another company.

                  About six months later, according to defensive filings, McDanel discovered that Tornado had never fixed the vulnerability he discovered. Using the moniker "Secret Squirrel" he sent a single email to about 5600 of Tornado's customers over the course of three days, staggering the release each day to prevent flooding Tornado's email servers.

                  The email told Tornado's customers about the vulnerability, and directed them to his own website for information about it.

                  So what did Tornado? First, they scrambled to delete their own customer's emails (without their permission) to prevent them from learning about the vulnerability. Then they took other steps to conceal the hole. Ultimately, the fixed the vulnerability, and upgraded their general security.

                  For his efforts, McDanel was arrested, tried, convicted and sentenced to 16 months in the federal pokey, which he has now served. He has appealed his conviction to the federal Ninth Circuit Court of Appeals.

                  It's important to note that McDanel was prosecuted not for a denial of service attack against Tornado by an email flood, but apparently because Tornado, and the government, were unhappy with the content of the email message and associated web page - content that is presumptively protected by the First Amendment. The "losses" suffered by Tornado, were only in lost reputation and lost clients. There was no evidence that McDanel or anyone else ever exploited the vulnerability.

                  To put McDanel in jail, the government adopted a rather unique interpretation of the federal computer crime statute.

                  The applicable language in the Computer Fraud and Abuse Act make it a crime to "knowingly cause the transmission of information and as a result of such conduct, intentionally cause any impairment to the integrity or availability of data, a program, a system, or information without authorisation." Ordinarily, this is used to go after people who distribute worms or viruses, mailbombs and Trojan horses: things that actually shut down or affect the computer system itself.

                  More Oversight Needed
                  In this case, the government argued that the Secret Squirrel's missive itself - whether posted on his own webpage or emailed to Tornado's customers (or, presumably, posted to any other public source) "impaired the integrity" of Tornado's computers or network. The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.

                  Because McDanel revealed the flaw publicly (having previously revealed it privately to Tornado to no avail) he could be prosecuted, because, according to the government, "the public now knew about a flaw in the Tornado system, how that flaw worked, what that flaw could get somebody who exploited the flaw, and in fact a how-to manual about how to exploit that flaw".

                  Had the government merely gone after McDanel for a spam denial of service, or "email bomb" theory, and had they proven that the emails themselves slowed down or materially impaired the availability of Tornado's computers, there would likely be little chance on appeal (though a California State Supreme Court decision recently held that a massive email sent by an ex-Intel employee to his former colleagues was protected free speech where the effect on the mail servers was minimal.) If the email was intended to, and actually operated as, a denial of service attack - well, case closed.

                  But the government here has stretched the federal computer crime statute to include not only attacks on computers or networks, but the dissemination of information about vulnerabilities. They've expanding the definition of "impairing the integrity" of such affected systems. This is a dangerously slippery slope.

                  There is little doubt that what McDanel did was irresponsible and malicious. But, assuming the vulnerability existed, what were his alternatives? He had already told senior management about the hole, and they did not fix it. He could have told them again, and hoped that they took it more seriously. If he threatened to expose the vulnerability to force them to fix it, he could be prosecuted for extortion. And posting the vulnerability to a newsgroup or security organisation, instead of the customers, would be a fruitless exercise unless he detailed the entity that was suffering from the hole, and then would-be attackers would know who to attack, and Tornado would be in a worse position.

                  He likewise could have notified some governmental agency - but frankly, there is no government agency with a mandate to provide security advice to email carriers. So, he notified Tornado customers directly that their email accounts were at risk. He didn't exploit the vulnerability, encourage or conspire with others to exploit it. He didn't reveal the vulnerability to an underground hacker organisation. He told the affected people. For this, he went to jail.

                  He could have explained to the customers that their information was at risk, without revealing quite so much detail. But according to the government's theory of liability, this would not have prevented his prosecution. Moreover, as is frequently the case with security vulnerabilities, this likely would have prompted a quick denial by Tornado that any such bug existed - and they may or may not have fixed them.

                  Under the theory articulated by the government, the transmission of any information that can be used by others to impair the integrity of a computer system (or cause loss of reputation) if done without authorisation (and who would authorise it?) is a federal crime.

                  The law requires the impairment to be "intentional," but under US case law a person is presumed to intend "the natural and probably consequences of his or her actions." You know that revealing the vulnerability will embarrass the company, and this fact alone "impairs the integrity" of the network, according to the government's theory.

                  If you were to come into my office and ask my legal opinion about whether you should reveal a vulnerability under this interpretation of "impairing the integrity" of a computer, I would have to tell you that it was a federal felony to do so.

                  What we really need is for Congress to produce stringent guidelines for prosecutors about what kinds of conduct "impairs" integrity, and therefore runs afoul of the criminal law. These guidelines should be binding on all federal and state prosecutors so there is a clear understanding about what people in McDanel's position are permitted to do.

                  A code of conduct for security specialists with clear guidelines on what they can do when a company or entity refuses to fix a vulnerability would be helpful as well. Until then, as the canny desk sergeant in Hill Street Blues used to say, "Let's be careful out there."
                  Ah, yes, the irony
                  (\__/) 07/07/1937 - Never forget
                  (='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
                  (")_(") "Starting the fire from within."

                  Comment


                  • #39
                    Originally posted by Urban Ranger
                    Are you dead?

                    Here's your wish answered
                    You're way to predictable when it comes too threads like this UR. Step one for you is always to throw up irrelevent details to avoid the issue.
                    I make no bones about my moral support for [terrorist] organizations. - chegitz guevara
                    For those who aspire to live in a high cost, high tax, big government place, our nation and the world offers plenty of options. Vermont, Canada and Venezuela all offer you the opportunity to live in the socialist, big government paradise you long for. –Senator Rubio

                    Comment

                    Working...
                    X