[h3]Why it's dumb to bust people for pointing out security flaws [/h3] Jennifer Grannick's column in today's Wired News, "Spot a Bug, Go to Jail" covers the insane trend to suing and punishing whistle-blowers who report on security vulnerabilities. It's a truism among security practitioners that there is no security in obscurity -- in other words, that a system is made less secure if you keep its workings and failings secret. It's only by the disclosure of failings that systems can be improved, and this disclosure also lets users of security systems make good decisions about whether a given system is adequate. If [a href="vny!://www.boingboing.net/2004/09/25/bic_as_picklock_cont.html"]your bike lock can be picked with a ball-point pen[/a], don't you want to know that? [blockquote] In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. [/p][/blockquote] [a href="vny!://www.wired.com/news/columns/circuitcourt/0,70857-0.html?tw=wn_index_6"]Link[/a]