Interesting parallels to my own ongoing case found in comp.risks:

Date: Sat, 25 Aug 2001 10:12:13 PDT
From: "Peter G. Neumann" <neumann@...>
Subject: Follow-up on Oklahoma whistleblower

Sheldon Sperling <Sheldon.Sperling@...>, the U.S. Attorney in the
Brian K. West case, has responded to various e-mail protests on his handling
of the case. He claims that West was not arrested and has not been charged.
However, an investigation is pending, to determine whether West
"intentionally accessed a computer without authorization or exceeded
authorized access (to access a computer with authorization and to use such
access to obtain or alter information in the computer that the accesser is
not entitled so to obtain or alter), (2) whether the employee thereby
obtained information from a protected computer (a computer which is used in
interstate or foreign commerce or communication), and (3) whether the
conduct involved an interstate communication. 18 USC 1030." [The full
statement from Sperling is included in a message from Declan McCullagh,
which is accessible at http://www.politechbot.com/ .]

I have noted in this space before that when there is no security in place,
the alleged culprit cannot have exceeded authority when no authority is
implied. As long-time RISKS readers will recall, this issue came up
relating to the trial of Robert Tappan Morris: in 1988, the Internet worm
never exceeded authority, because no authority was required to use the
sendmail debug option, to use the .rhosts mechanism, to execute the finger
daemon, or to read an unprotected encrypted password file. I wonder how
if prosecutors will ever figure this out!

As long as we attempt to shoot the messenger and hide lame security behind
overly broad laws, weak security will prevail, and whistleblowers will be
much rarer than glassblowers. (For example, DMCA is among other things an
attempt to outlaw whistleblowers.)

See http://www.macintouch.com/newsrecent.shtml for the longer story.

We must get laws off the books that punish people trying to do good.

We need the equivalent of the "Good Samaritan" protection already
granted in other circumstances.

What can we do to get this into the heads of the legislators and
judicial decision makers?

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!