Slashdot Mirror
Report Security Problems, Face The Consequences
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
PHB: "Good work, Johnson! That'll show 'em!"
Naked Woman Seeks Sex at Airport
Got Rhinos?
You're alive, you're alive, you're alive, you're dead.
...as opposed to a slow one;
You're alive, you're alive, you're alive, you're dead.
"From of old, there are not lacking things that have attained Oneness." - Lao Tzu
I can't believe that this sort of thing is happening.
It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.
Behaviour like this from clueless law enforcement bodies who obviously don't know the difference is not going to help any one - it will deter people from helping one another out, because you don't know how the other sysadmin/business will react, and also that the law cannot tell that the party with the problem is overreacting.
What ever happened to the whole global village ethos - you scratch my back (i.e. tell me when I need help) and I'll scratch yours?
Now it's "Ahhh! A cracker!" to everything, good or bad.
whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?
This, from the only country that forces you to go through customs & Immigration even to handle a connecting flight.
From one of the few remaining countries with a death penalty.
From a country that still taxes it's people even if they reside in a foreign country (Only a few countries still do this; one being Libya)
God help us.
Feds:
White Hat? What's that?
The only good hacker is a dead one, right?
But seriously, this guy deserves a medal, not time in jail, or fines. If a worker at a car company knew of a serious fault in another companies car, and didn't come forward, he would be guilty of murder (assuming people died from the flaw). If this guy didn't come forward, he would be partially responsible for the damage caused by the security flaw.
I doubt this case will go that far, though.. I just wish the government would realize how fucking stupid they are being.
One of the things that lawyers will suggest to a whistle-blower like this is to have lunch in their lunch room, and talk loudly so as to get the information across
(strange, but true)
JoeLinux
It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.
...burn him!
The bottom line is, with all the FUD in the media nowadays (CR, Sircam, etc..), anyone who finds a flaw in some type of system is gonna get shafted, period.
The only thing I see as a possible remedy to this is for people to actually start using all those anonymous remailers that are floatin' around, otherwise, be prepared to get bent over for trying to be helpful. I can relate to this personally, the only good thing about it is that I only got fired, not arrested. But how much more BS are people going to take before they start to take a stand against this kind of crap?
Doing a good dead
Intercourse with a deceased individual is not only illegal, but immoral, and you should be ashamed.
Do Something About This!
The amusing thing is that under many statutes of the law, you're required to report something going wrong. For instance, if a friend tells you that he's going to kill his wife tomorrow, you can be found liable if you don't alert authorities. Now, apparently, you can also get arrested for TELLING authorities about the potential crime.
Unless, that is, the feds can tell us that they WOULDN'T have busted anyone exploiting the security hole that Brian West found.
The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the 'main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.
I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.
You're using her as bait, Master!
I don't know how, but I'm pretty sure that 'violating the DMCA' will eventually come up as the charge.
Talk to the techs.
Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?
Trolls throughout history:
Jonathan Swift
This is exactly the kind of thing that happens when a government is not kept in check. As a government grows so does their power.
... i just love doing a good dead.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Actually, most countries won't kill you for criticizing them... contrary to what you might be taught in school.
I'm pretty sure that this has nothing to do with the Digital Millenium Copyright Act. In this case, the FBI seemed to be quite devious, not stupid. What does this have to do with Copyright violation? Nothing, since with the security whole it would be easier to deface intellectual property. Maybe you should consider spending some time away from Slashdot for a bit : ) Not every dumb government action is because of the DMCA, after all.
Okay, this is fucking insane. It's insane because I do this all the time with the companies I write web sites for--the number of misconfigured servers out there with problems like the one in the article is huge. And everytime I find a bug in server security, I always and promptly notify the company who manages the server and the owner of the web site of the security problems, as well as how I found them.
If this is how this sort of good deed is rewarded, screw 'em. They can wait until a black hat comes along to exploit the hole, instead of some guy (I wouldn't even call myself a hacker, just a grunt) who accidently stumbles across some ISP's stupidity in motion. And screw it: if the Feds treat every grunt out there like a black hat, what's the point in being a nice guy?
This really ticks me off. Big time.
Warning: MySQL Connection Failed: Can't create UNIX socket (55) in /home/gh0ul/public_html/include/connect.inc on line 6
We are having problems with our database, please come back at a later time.
(Higly inflammable post right?)
Two months ago, my firewall reported a scan from an IP...I was bored, so I checked it out and it looked like a home computer...on a hunch, I tried mapping to the \\www.xxx.yyy.zzz\c share with no password.
It was infected by a trojan that replicates off of unprotected C drive shares in Windows...I was looking at his C drive...and I thought about replacing everything on his desktop except for a note telling him he was infected with a trojan and his HD was open to the world.
Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.
"I've never been to Vegas, but I've gambled all my life" - Ryan Adams
----------
ah honey, we're all resplendent - Bill Mallonee
Give 'em a whiff of the grape! (or at least the "slashdot effect"!)
You're using her as bait, Master!
Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.
I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.
They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.
However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.
Stand Fast,
tjg.
So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?
This is a crappy situation.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
Given the apparent level of technical expertise of these idiots, and their repugnant behaviour, I suspect that they may soon become the "victim" of community (vigilante) justice.
...never be a good samaritan, because no one will appreciate your efforts.
Imagine this conversation in your street:
Guy 1: "Hey neighbour, you've left your front door wide open and I think the local hoods are eyeing over your TV and VCR system."
Guy 2: "What? You say you saw my front door open? How did that happen? I couldn't have left it open, not me. You opened it, right? I'm calling the cops buddy."
Only in America.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I'm going to explain this very, very, very simply. Say if whitehat A where to find a security hole in your companies computer, and would notice you. And you where to fix it. you thank him and (possibly) send him a small check.
Now... it appears that you would rather have the white hat see that your computer is vulnerable, not notice you because he doesn't want to go to jail. And start programming something else. Then, a few weeks later a script kiddie comes by, sees a vulnerable machine, grab all the passwords. and deface every computer on your network he could find.
Take your pick!!!!!
Sig you!
Outrage? Yes. Stupid? Yes. But considering the enviroment where any script kiddie can launch something like Code Red, is this really a suprise that someone overreacts and calls in the FBI?
Not that I think its right (I dont), but its not real suprising.
so if I see a girl being raped in the alley way, I should walk on, not tell anybody, ever.
don't tell anybody. no please. We're really perfect people. If you tell someone, I will kill you.
will someone please kill me?
With all the news lately about high profile 'cybercrime', and the foundation of 9 new divisions to help combat it, the FBI is under a lot of pressure to provide results and visibility. In essence, they have to make a lot of arrests, valid or not, to warrent the increased budget they have been given. No arrests, no money. The agents on this case probably realize that he had good intent, but they needed to arrest him anyways, just to get their stats up. They also know that he most likely will get off, but well, thats not THEIR problem. They just arrested him, DA's are supposed to get convictions.
And if it costs this poor bastard thousands of dollars? Sorry bub, but they gotta keep their budget.
Is this right? You tell me.
FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?
I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.
Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.
You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.
It's sad indeed that in 2001 America, we've seen truth in the old adage "no good deed goes unpunished".
I suppose in today's legal climate, the only way to treat your neighbor is callousness, at least, and stay out of jail. Help your neighbor, get 1-5 years.
My suggestion to all those who are admins/coders/hackers/engineers, keep it to yourselves. I suppose we'll secure our systems, and let the government and the rest fall prey to script kiddies and our silence until they learn the Darwinian lesson of the consequences of their stupid 21st Century "digital age" laws.
=== The price of freedom is eternal vigilance
This is pure insanity. Stories like this really lead me wondering if the government REALLY remembers who they are working for.
In this case, the law should also cover cars. It should be illigal to report any problems with any car. All the people complaining about Ford/Firestone should be put to jail.
May be then the Feds will realize idiotic the law is.
Stop messing with slashdot's servers, you hooligan!
Soma: because a gramme is better than a damn.
This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.
InstaPundit! Ahead of the Curve Since 30 Minutes Ago
"yet the prosecutor claims that if he doesn't get convicted under Title 18 Section 1030 of the USC, then the prosecutor would try for wire fraud."
What? Huh? First off he the prosecutor goes for Title 18 Sect 1030 and doesn't get a conviction, he can't just go after him again for wire fraud instead. Double Jeapordy.
Also, I guess it doesn't say, but what about the cheif who recorded the convo over the phone. How legal is that in Oklahoma? Anyone? I know in some states its 100% illegal and in others there are loops to jump through.
The ultimate network admin tool needs HELP!
The story went into no details on what he did besides click 'edit' to compromise the site? It didn't actually state what he was formally charged with other than mentioning 'wire fraud' which could have a wide varying set of meanings. As part of being in this community I think it's up to us to dig and find more information before making rash decisions. After all, aren't we criticizing the FBI for their, apparent, rash decisions?
Uh-oh, -- the site is Slashdotted already!:
Warning: MySQL Connection Failed: Can't create UNIX socket (55) in home/gh0ul/public_html/include/connect.inc on line
6
We are having problems with our database, please come back at a later time.
My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.
The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.
now we need to go OSS in diesel cars
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
The way these things work is that the usedid he picked at random was probably the userid of a secret mistress of one of the top FBI agents.
I was once a witness to a purse snatching where the victim happened to be the wife of the first cop who showed up. In the middle of something like that you sometimes doubt whether your mind is functioning normally. The cop car rolls up, the cop jumps out and immediately proceeds to give the victim a three minute hug. Hey, these guys are more compassionate than I thought.
The activity that followed couldn't have been outdone if the War Measures Act had just been invoked. The guy who snatched the purse is probably doing concurrent life sentences by now.
A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Y'know the worst thing that might happen?
/. reader and use that as evidence in the FBI case..
They get cracked by some l33t
What's this Submit thingy do?
This version may be the truth, but this sounds like a pro-West report.
Is what's mentioned everything that West did ?
Gyan
Our government is clearly out of control with regard to incidents like this. This case sounds like it deserves nationwide protests just as much as the Sklyarov case.
Use the DMCA, kill Frontpage :-)
Everybody sing D - M - C - A (+ handwaiving)
Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.
Don't post innacurate information
If you do, I swear by my pretty floral bonnet I will end you.
If the Government and various Companies want "Security through Obscurity", I say we give it too them. Will it solve thier problems ? No it won't, it will make thier problems worse. However, it will solve several other problems, this article being a perfect example of a problem which could have been avoided. If he didn't report the security problem, he would have never been arrested. If System Administraters and the FBI want to bury thier heads in the sand, then far be it for us to try to change them. I am sure there are a great many Crackers who would love to go back to the wild days of the 80's when every computer system with a connection was owned and information about cracks were circulated through underground BBS's.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
Mr. Wally Burchett has some serious issues, and
/. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.
the Poteau Daily News has something coming to them if they think they can get away with this.
Everyone should start writing letters, call the editor, etc. From their Web site:
Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953
Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.
Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax
Email:
pdns@pdns.com
publisher@pdns.com
If you write letters, direct them to Mr. Wally Burchett.
As with all the causes we at
For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.
This guy needs an attorney. He also should not under ANY CIRCUMSTANCE go to the grand jury proceedings unless compelled by law to. As it appears he is not compelled by law to, he should not got to the grand jury proceedings.
I see a paranoia regarding worms/viri and the goverment. Code red seems awfully hush hush regard any infomation on the perp, and the intial location of the infection. I am sure the initial infection point are logs on some computer somewhere.
p.s. the link to the story is already broken
Ten firemen of the Oklahoma city were arrested early this morning for trespassing.
The squad alleged they broke into a house because it was burning, and they received an emergency call that said there were people trapped inside it.
Instead of innocent trapped civilians, they unknowingly tried to rescue undecovered FBI agents.
The firemen broke the main door and entered into the burning house, when they were immediatelly charged for vandalism, trespassing and attempted burglary.
They alleged they were trying to save lifes, but this is no excuse to FBI agent Smith, that said:
"What we are facing here is a very serious crime. The entered the house without written permission from its owner. They work doesn't matter. Or do you think a teller can enter a bank's safe and get money without permission ?"
If the firemen don't get convicted, then the prosecutor woult try for arson.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
Our government licks sweaty dog balls...
Orwell, MS sucks, hicks in the midwest, clueless FBI agents.
There. Now, go do something constructive with your time.
While this individual seems to have done a "good deed" in communicating a security flaw and this pursuit by the feds is excessive, the issue should at least get a fair treatment from both ends. Just imagine the following coversation:
Concerned Citizen: "Mr. Smith, I'm calling because I noticed that your bedroom blinds are partially open and I can see your wife walking around in the nude. I thought I'd bring this to your attention so you can remedy the situation before more malicious sorts exploit the breach in your window dressings."
Smith:"Are you sure about this?"
Concerned Citizen: "Yes sir. Just to be sure, I pulled out my binoculars. I can tell you that your wife has a pierced left nipple and a tattoo of Bugs Bunny on her right butt cheek. Oh, and I'm sorry about your lack of gift. They say that size really doesn't matter anyway..."
Smith: You bastard!!
A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.
The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.
-Nuke the moon
Since I don't have the cash to contribute right now, I did send an email to the address given at the end of the article. Here is what I wrote:
. html
9 &mode=thread
Hello,
I just read about a case involving Brian K. West. The URL is:
http://www.linuxfreak.org/post.php/08/17/2001/134
From everything that I have read, this person did absoultely nothing
wrong. I fail to understand why he is being persecuted for simply
notifying somebody of a *VERY SERIOUS* security hole on a service they
offer to the entire world.
Please consider throwing this case out. Mr. West has undoubtedly
already lost much time, money, and reputation due to this injustice.
Had he done the same thing for me, I would have immediately sent him a
message of thanks and IMMEDIATELY secured the site. Aparently, weeks
after the initial warning that Mr. West was so kind to give the poteau
daily news website administrator, this hole (really a misconfiguration
on the administrator's part) still was not closed.
Allowing frontpage publishing to the entire world is a serious
potential vulnerability. Doing the same with no authentication
mechanism is just plain stupid, especially for a news site whose
integrity is at stake.
If you would like to see other people's views on this incident, please
visit:
http://slashdot.org/article.pl?sid=01/08/18/17025
-- greg, webmaster@no.slashdotting.desired
--
Greg Spath
gspath@no.slashotting.desired
http://no.slashdotting.desired
After reading that article i am appaled. Why does noone stand up to the FBI? Why did he not tell them to take a hike when they didn't present a search warrant? There are certain pieces of paper that our founding fathers created so power hungry men like this couldn't have thier way with people. They are called
THE BILL OF RIGHTS and THE CONSTITUTION
Will we have to fear the G MEN from now on?
This sort of thing happens to alot of Gun Owners except it is the ATF doing it. They are just on a witch hunt.
It's not the OS it's the user that sucks. If it's user friendly, you get stupider people. - clinko
I have a similar problem facing me right now. Recently I have discovered that I can re-write cookies/alter HTML on my machine and "pay" for my parking tickets with any amount I want via my city's web-site. It is a common problem where e-commerce websites trust your computer with the correct amount. To test this I paid $5 for a $50 ticket I had and waited to see what would happen. Sure enough, my CC was charged $5 and upon phoning the city, I discovered my ticket has been marked as paid. Now.. do I phone the city and tell them about this problem, or do I just let it go? I figure eventually some audit will turn up a $45 discrepancy.
For all of those tempted to donate money, make sure you check out the story first!
If I notice smoke coming out of one of the windows of your house and point it out to you, you'd be more than happy that I did.
that's what this boils down to. forget the legal mumbo-jumbo. West pointed out that smoke was coming out of a window and that the potential for a fire was there, and he gets blamed for the fire that could (BUT DIDN'T) ensue.
"No, Officer, I didn't want to steal that car, I was just going to notify the owner of the insecurity."
This is the worst anology ever. This is more like someone parking his car out front and yelling "Come look at my car! Come look at my car!" And When someone looks in the window and says the door is unlocked and keys are in the ingition calling the cops to have them arrested.
The part you seem to be missing is that it was an explicitly public access site and he inadvertantly found a hole. He wasn't look for one, he just found one. Would you be arrested for robbery if you saw a $20 bill laying on the sidewalk?
This is nothing new. The FBI has been screwing up stuff like this for the past couple of years in many different areas. Remember Richard Jewell? Same situation as this, just without technology involved. The problems with the FBI don't stem from ignorance of technology.
$45 per U Colocation Special
Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?
I had to go through C&I to get to my connecting flight at Schiphol (sp?) at Amsterdam. Very annoying (since my incoming flight was so late that I had 5 min to connect. blech.)
Gathering the information from the reports is a tough nut to crack. If all Brian did was open the page using the EDIT command then I don't know why it would show hundreds of accesses.
On the other hand, if he opened the site in Front Page -- which is a natual extension to see how far the site was compromised -- the log files would show hundreds of access if he went to all the pages especially if the Front Page bots were being used.
Either way it is sort of humorous that a paper would leave the ability to edit the pages open. I didn't see any comments that said otherwise. It looks like someone didn't enable the basic user/password challenge for accessing Front Page in administrator mode.
Something a bit similar happened to me a few months back. I discovered a big security hole in my webspace provider's server, which allowed me (or anyone else who knew about the hole) to read all of ohter user's e-mail and access all the pages, which included seeing passwords for MySQL database written inside .PHP files.
I notified the sysadmin about the hole and all I got back was "we are really busy and we don't have time for such details right now. we'll look into it at some point". Well, almost 8 months later the hole is still there. And the best of all - they are giving away free 1-month trials to anyone who wants one. You don't even have to provide your real name, because they never check it!!
Some really never learn...
Actually, the FBI agents weren't trapped inside, they were just debating who would go to jail after one agent pointed out that another's fly was open. Was the person with the lazy zipper a sex offender, or was the person who pointed it out a peeping tom? By the time the firemen got there, the agents had all handcuffed each other to each other. Local police commented that this was obviously some arsonistic sex cult, and that the FBI agents' names should be listed on a public bulletin board. The NSA pointed out that this would unnecesarrily expose the agents, so the cops were arrested. The DoJ brought the case before the Supreme Court and thus was the entire american 'justice' system brought to a halt.
The firemen, having no one left accusing or prosecuting them, returned to life as usual, and the nation breathed a sigh of relief as good samaritanism was, if not legal, at least accepted again as there was no one to prosecute the cases left.
Returned Peace Corps IT Volunteer
Hrm. I think we need updated/slightly modified good samaritan laws to cover this sort of thing. This is even worse than situations GS laws were meant to cover. Currents are if you cause damage accidentally trying to help. He didn't even do that. It's like rescuing a man from drowning and having him sue you for doing so. To quote John Stossel: Give me a break.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
The tail is now waving the dog, i.e. the corporations are now telling the government what to do, and when to do it. The really scary thing is that what was once viewed as a United States law issue, is now being exported to the rest of the world. I have read where the EU is now considering 'Software Patent Rights' and DCMA style laws, to "protect" big corps. like the government and laws do, in the U.S. WPO is also being used to extend this.
One wonders where it will end...
he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.
So, going back to the house analogy, he is guilty of going inside and looking around.
The details of the affidavit are from Brian West's own web site, http://www.bkw.org
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
I was talking to a friend who still worked at a place where I had been previously employed(Both of us in IT), when he mentioned that they had moved their web services to a 'professional' hosting company. I had been playing around with SAINT, and during the conversation, (I forget who mentioned it) we decided to scan the machine hosting their site. The scan showed anon FTP with write access. I logged in (anonymous) and noticed that I had write access to the entire site, including all the scripts that dealt with the credit card numbers. After checking to see that the write access was real (I created a file in the root directory, containing my name and phone number, and an explanation of what I was doing) I told my friend to have that company called up and have the problem fixed immediatly. Later that day, I got a phone call from the 'professional' company that was hosting them, slightly upset at my actions, but just happy that I *was* benign. They could have done the same to me as has been done to Brian West, but instead they fixed their problem, and let me live.
Nathan Brazil?
I am ashamed to be an american. I can't believe this is going on im my own country. This kind of stuff makes china look good. I hope this guy sues the daylights out of the fbi. I also hope this does not keep other honest people from reporting security holes to their sys admins. That though is where he should have started. By reporting the problem to a sysadmin, he would have caused less of a scare by the company.
I found a hole in slashdot and now there are a bunch of angry fat people in front of my house yelling things at me
The Slashdot Effect: A new for
"When Mr. Burchett called back, he recorded the call and asked for details on the server problem. In the course of explaining the problem, West let Mr. Burchett know that other companies, including West's own bank, had experienced similar problems configuring server software. Following their phone conversation, Mr. Burchett gave the tape to the Poteau Police Department. That's when the FBI got involved."
Isn't taping a phone call without both party's knowledge/consent illegal? Wasn't Linda Tripp charged for that?
There is a link in the story to make donations, and I would if I could, but if he wins I hope he can sue them to get his money back and more... The person who got him in trouble should be the one who is punished, not him.
They that quote Benjamin Franklin on liberty and safety deserve neither.
Anyone with a bad idea and enough money can get any nonsense turned into a law.
--Blair
"Democracy is a wonderful thing. I wish we had some."
a flight from Frankfurt to Munich is domestic? (duh)
It never ceases to amaze me how absurd these people can be. This type of action reminds me of a time when a family member (a lawyer) came to me to find out if there were any way to sue someone under libel law for posting to a newsgroup much like slashdot.
Simple actions, obvious freedoms, and inane people in places of power trying to remove them...
Will it ever stop?
It can, (and probably will, if the DMCA isn't killed) occur, just as you implied.
But consider a simaler case. Remember when there was a huge expose on Food Lion, with packaged meats being re-dated? That didn't last long in the media, because the reporter (who went undercover) violated Food Lion's Non-disclosure agreement.
In this case, the DMCA is just like a NDA, and even applies. We signed the agreement by voting for the senators and representatives we did.
Fortunately, NDAs can be declared invalid, depending on various laws. So can the DMCA, by the Constitution.
I will be one of the many disappointed people if the DMCA isn't declared unconstitutional.
What's this Submit thingy do?
Report Security Problems, Face The Consequences
Posted by timothy on Saturday August 18, @12:09PM
This is similar to Adobe's case with Dimitri. Tell a company of a flaw in their product/system, the consider you a malicious person.
The U.S. Government seems to support the idea of allowing unsecure products and telling people not to exploit them. I guess their being against encryption falls into the same place.
Free Oklahoma ISP!
One item not mentioned in the article is the details of Title 18 Section 1030 which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.
The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.
--CTH
--Got Lists? | Top 95 Star Wars Line
Anyone heard of Randal Schwartz? He's been fighting something like this for years.
What you did is highly illegal. There is no backing out of it by saying, "I was just testing a theory."
What will end up happening is you are going to found out one day, if it is a smaller city that performs yearly audits and then you will find a FEDERAL WARRANT out for your arrest. This is because you performed a FEDERALLY PUNISHABLE CRIME. The only thing you can hope to get is a light sentence if you bring yourself down to the courthouse and get in touch with the right people.
You might get real lucky and have a slap on the wrist. However, the longer you wait the more likely you will go down in flames.
What you did sucks and I have no sympathy for you.
--
.sig seperator
--
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
You try doing chemistry as a hobby at home today you will find yourself in jail. Even if you never make any drugs or bombs, it will be assumed that you are making drugs and bombs. The possession of any chemicals which could conceivably be used for making drugs or explosives will be taken as evidence that you are making drugs and explosives - even if you aren't. Even if you have careful notebooks which explain what you're doing, it won't help you. People have been sent to prison for possession of three-necked flasks and triple-beam scales!
Computer security has, I think, gone the way of chemistry. Don't do it at home! I am by nature a paranoid person - perhaps this is to compensate for my lack of ability to "read" people and take hints - it would never occur to me to do any white-hatting and give my real name. I would have notified the newspaper jerks by email from an anonymous terminal or by disposable calling card from a payphone. The boy in this case should have told his boss at his company, and let his company decide whether to call or not. Instead, he goes off and gives the impression that he goes around finding holes in systems, on his own, all the time! If security is your hobby, go and get a job at an actual security company and do it full time. Or don't do it at all.
All of this crap, and the DMCA is going to lead to buggy, harmfull websites and and ecryption and compression.
Thank god I use a mac, cuz when this hits the fan, Windoze users are gonna get reamed more than they already are. They already spy on people through the windoze version of IE, imagine what else they do with out us knowing.
Are we in a police state or what? Stuff like this scares me. It's obvious that the FBI not only is totally clueless about enforcing their own laws, but probably clueless in general, Plus, they aren't above using entrapment to get an innocent busted. I have a major problem here. At least in the USSR you know where you stood with the KGB. Here in the United States we're taught to believe that people have rights and the government works for US. What's dangerous is that this (and other late examples) show what scam artists our government truly are. Our representatives aren't any better either. They believe the cure for everything is to pass more laws and take more freedoms from us. Canada is looking better every day
And that doesn't go on here? Do you know anything about the growing resistance to neoliberalism (aka Corporatism)? About the police state tactics in any cities where the neoliberal elite hold meetings? About the lists compiled by the FBI of anti-corporate activists (lists which are shared with foreign governments)? About the infilitration of activists groups? You think America is the land of the free? If it ever was, it isn't today.
In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read
ENTER HERE -->
TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?
So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.
We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.
Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.
Many of us have pointed out problems with web sites but few of us have been keelhauled for it. This is a chilling development to think that FBI agents are so eager to be promoted for appearing to be cyber-savvy with such grandstanding symbolic arrest-like-gestures and ISP managers trying to cover their incompetent butts by crucifying a well intentioned guy like this.
Moral: Stop reporting security holes!
Wansu, th' chinese sailor
How did he test the hole?
To make sure it was in fact a hole, he would have had to get one of their files, alter it, and place it back on the server to see if his modified copy was in fact in place.
This is obviously a felony, and has been for a long time.
Whether his intentions were felonious, mischevious, or saintly if why we have courts and trials. The plain facts of the case are clearly felonious.
If a man walks into my house, uninvited, and knowing that he was uninvited, he has just burgaled my house, whether he intended to or not. Even if he had reason to believe there was an emergency or whatever. Clearly, even if I don't like the man, and want him arrested, if he can show that he was acting like a concerned citizen, most jurys will not convict. He says he walked up, knocked on my door, and it popped open. He then closed the door, pushed again, and it popped open again. He then walked into my house, just to see if that was my only line of defense, or if I had an interior door. Having walked to my kitchen, through the living room, he decided that there wasn't an interior door he left. After he left he called me, telling me he could walk into my house anytime he wanted, and he knew this, because he did just that, and didn't I know that olive refigerators weren't in style anymore. He also told me that he had a better door to sell me, if I'd like, because he knew that other people in the area, using the same door I had, have the same problem.
Demand a jury trial, and argue that there was no criminal intent, because even with the HIGHLY BIASED, and TECHNICALLY MISLEADING sympathy provoking article, it is obvious that he technically commited a felony.
If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.
I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).
If you don't believe in this case, donate to the EFF instead.
---
Segmentation Fault ( core dumped )
By this definition, all computers connected to the Internet are "Protected" under US law. So what they are charging Brian with is accessing this "protected" computer and downloading a Perl script to which the company assigns a value of $5,000.
The fact that the computer was unsecured does not play in the matter. If the Perl script had been on a public FTP server, they could still charge him with "obtaining anything of value" from a "protected computer".
Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."
Police: "Stay there for a while sir and watch things until we arive."
<I>15 Minutes later...</I>
Passer-by: "I'm glad you made it. I was getting tired and..."
Police: "You're under arrest for theft and breaking and entering."
Yea, that makes a lot of sense.
You dont know which people dont want you to be helpfull... and I for one dont really want to help create a situation where you have to assume noone appreciates help.
...will no longer look out for his neighbors.
To put it bluntly, I had to deal with the local Police Department, yesterday, because someone had broken into a neighbor of mine's apartment. After reading this article, I'll stay uninvolved from now on.
Thank you, FBI, for making my life simpler.
This isn't anything like entrapment. For something to be entrapment, the law enforcement agency has to suggest commiting the crime to the perpatrator with no for-knowledge of his propensity to commit the crime.
So, if I walk up to someone I have never seen, and offer him drugs, and he accepts my offer, I can not arrest him. If, on the other hand, I walk up to someone that has been convicted several times of drug dealing, and offer to buy, then that isn't entrapment. Or if I am sitting in the room, and a man offers me drugs, or tells me how he just sold drugs to the guy on the other side of the room, and he doesn't know I am a cop, then it isn't entrapment either. Even if I tell someone I am a drug dealer, and don't ever actually offer them drugs to buy, and they subsequently ask to buy from me, that is still not entrapment.
In this case, they did not suggest the crime, or help in the crime. He admitted to his prior crime (which he did commit, and he admitted to, and the article even outlines what he did, although specifically vague, as to drum up sympathy) with out having the crime suggested to him.
He did commit a crime, and the FBI did not commit entrapment.
First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.
If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.
Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.
All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.
How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.
This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.
As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?
-Restil
Play with my webcams and lights here
Many years ago, I was told by a San Diego Police Detective that they are "not interested in the truth, only in good busts." The failure to understand this mindset leads to the kind of situation discussed here.
Prosecutors, police and bureaucrats (obviously, with a few exceptions) do not have your best interests in mind. Like most people, their own interests come first. These might include career, family, power, prestige or (fill in the blank). It really doesn't matter what their motivations are, just know that your interests are not considered or are at the bottom of the list. Expecting more is naive and dangerous.
This does not mean that they do not frequently do good and important work, it just means that their interests do not necessarily coincide with yours.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
And those of us who voted for other people lost. 100% of my candidates lost actually, so I don't even have 1/300,000,000th of a say in my government.
Think about it this way: Suppose you embark from Podunk, Idaho on your way to Frankfurt, with a connection in LaGuardia (New York City) each way. (Assume that Podunk Regional Airport has no customs and immigration facilities, but it wouldn't matter if it did.) On your way back, you'll go through customs and immigration in New York, because after New York, it's all domestic flights.
It works the same way going abroad.
--
We have fought the AC's, and they have won.
Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.
Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.
Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.
Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.
The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.
So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.
Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.
I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.
I find it so ironic that geeks and programmers (myself included) are so one-dimensional about life. On the one hand, we spend enormous amounts of time and resources securing machines from outside intrusion, and ridicule those who don't (e.g., Microsoft).
On the other hand, our entire lives are an open book to any law enforcement agency, businessperson or non-tech professional because we just don't know enough about how life works.
Here's a clue: don't let an angry guy you don't know record you on the phone! Federal laws are very strict about the legality of recording telephone conversations. If both parties do not agree to the recording, the person doing the recording is commiting a crime.
Maybe if we secured our own lives as well as we did our servers these problems wouldn't happen to us. Why do we blame the sysadmin if someone breaks his insecure box yet blame the government if they break into his insecure life?
Have fun: Join D.N.A. (National Dyslexics Association)
You realize time or no time,
a felony conviction can rip you
a new career asshole on a semiregular
basis for the rest of your life.
I just wanted to drop you a line to let you know how much I appreciate your efforts in the Brian K West fiasco
It is good to know that if I, or someone else, misconfigures my software that I will not be likely to hear about it from a well-meaning person because of their fear of prosecution. Instead, I will hear about it when it is too late and a truly maliciuos person exploits my vulnerability.
Where would the world be without people like you?
If you ask me, the FBI agents and any other law enforcement agents involved with this situation are the ones who belong in jail.
Cheers.
[signed with real name]
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Whether or not state lines were crossed is immaterial. The mere possibility that the computer could be accessed from another state is enough to trigger the statute. Even if the activity originated and terminated completely inside one state's boundary, the federal statute still applies.
Yes, I know this fact. When I said "everyone's a winner" I was using a special form of expression you should acquaint yourself with.
Let me set this up. I'm not a lawyer, but I was charged with, took a plea deal for, and served time for a violation of 1030(a)(5).
He is expected to be charged with a violation of Title 18, Section 1030. If we have all the facts, the closest charge would be under one of the subsections of 1030(a)(5):
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
It's not enough to merely access a "protected" computer. He has to have either intentionally caused damage or been "reckless" and unintentionally caused damage. He also has to have caused $5,000 or more in damage, which can include the time taken to detect and clean up after the intruder.
Now if he did not change any of their existing files, only created a new file to see if they were vulnerable, and notified them himself, there is certainly some doubt that he caused more than $5,000 in damage.
The government also has the burden of proving his criminal intent. This is exactly what will cause the judge to throw out the case, if it ever gets there. From the article, it appears clear that his intent was not to cause damage. If he can support that claim, he'll win. Heck, he should consider filing a suit of his own.
This case is almost certainly the result of an overly enthusiastic FBI Special Agent and/or Assistant U.S. Attorney. They are under pressure to build their expertise prosecuting computer crime cases and they are very actively seeking cases to try. They could very well proceed with this case just to gain the experience.
Perl for Prisoners
Tom Christiansen & Brian K. West
Foreward by Larry Wall
Why would it be illegal to use services people publish on the Net???
If I find a computer with an anon FTP service running do i not have their tacit approval to d/l the files they posted?
What's the difference if it's a windows file share with anon access?
what's the difference if it's "edit" access on a web page? If "edit" access in enabled for anon users clearly I have their permission to edit the web pages.
?!?!?!?!?
This guy didn't "crack" anything, he didn't exploit a security hole, he only accessed services they had published on the Internet. It's obviously pretty stupid to let anyone edit your web pages, so buddy was nice enough to give them that advice.
So what did he do that was illegal???? Can I now post documents on my front door and have anyone who reads them arrested because the documents contain secret infos????
Or am I supposed to figure out what their "Intent" was? how about a mail server that is set to relay anything? How do i figure out if that was a mistake by their admin or an intentional setting to aid anon emailing and SPAM distribution?
A couple of years ago I found some strange charges on my credit card bill. Someone used my card to download commercial software. I did my own investigation and found that: /etc/passwd using browser and my dial-in password. I could find who worked for the company (they used ksh, others pppksh)
- when I recently subscribed online to an ISP, all the data was sent to one of the employees. That employee was probably responsible for billing.
- I could read
- I could read ALL MAIL BOXES using browser and my dial-in password. That included mail box of that employee. I found credit card numbers of 4 other people there.
- I could CHANGE ALL MAIL BOXES with ftp.
I also found what account was used to read e-mail with my credit card number.
I sent an email to the boss (I found who the boss was by looking in the employees' emails) and there was no reply. Then I edited the mail box of the billing employee ("I am interrupting your reading to inform you about such and such problems...").
Only then they fixed it. Oh, and I talked to the sysadmin, and he did not know what is sticky bit.
Now: should I rot in jail?
Yes...<scribble>....uh-huh....<scribble scribble>... go on... So you did what? Opened one of their files, which you understood to be something they did not want you to see? Interesting.....<scribble scribble scribble scribble scribble scribble *SNAP*...>Crap! Say, you don't have a pencil I can borrow do you? One of these days I'll get a computer to take notes on.
Also, would you tell us your address and save us the trouble of looking it up? We would like to uh, discuss your *discovery* further.
Special Agent Jones
Federal Bureau of Instigations...
Unless I am the victim of the crime or car accident I don't tell the police anything. If the police don't find something a lawyer will find something to ruin you with. Hey, if it doesn't directly involve me "I know nothing" as Sgt Schultz would say.
It isn't my problem if your front door is unlocked and a thief goes in, the same goes for the internet.
Now that the commies are out of the picture, A new villain is needed. The Chinese are maturing nicely, but won't be ready for some time. Child molesters and kiddie porn perveyors have filled the gap, but people are getting bored, and most of them are in prison by now anyway.
I know, let's get the geeks. Nobody knows what they do, and they look funny. Besides, they are responsible for the dangerous notion that democracy is more than dutifully not voting in elections.
If i see a site at blah.com with a problem, then I'm going to contact the admin@blah.com If I see merchant X is running a site with problems, I'm going to try to contact merchant X.
So let me get you strait... you think he should go to jail because he notified the wrong person first? Are you serious or just trolling? He found a contact address and told them.
I honestly can't believe you think he should go to jail for not finding the exact right guy to report this to. "What? You told the sergant about it! Only the captian handles these vandalism reports. Put you hands behind your head. This is a serious offense."
*blink*
Tell me you're kidding.
From the article: "They also refused to promptly provide a copy of the Search Warrant when one was repeatedly requested."
:-)
That, boys and girls, is a violation of a defendant's rights. A big one. We don't need to worry too much about this case, I think - a competant lawyer will get it thrown out on those grounds alone. I'm just surpises at the FBI stupidity. Wait a sec...no I'm not.
I'm the stranger...posting to
Normally I donate to "legal defense funds" (such as Skylarov) but this appeal has me a little suspicious. Particularly the appeal for $10,000 in lawyer fees and the convenient PayPal account. Other defendants have needed a support group or the EFF to set this up for them, but Brian has his ready to go.
I don't want to slam Brian if he's really facing unfair procecution, but I also would like to see some outside verification of his story from a reliable news source (like the EFF or the ACLU).
Otherwise, it's quite possible that Brian is in fact a cracker and is playing on the sympathies of the Slashdot crowd to raise a little bail money. Remember, the FBI does sometimes arrest real criminals!
Please CC: your reply to me, since this item already has hundreds of comments and I'm not sure I'll find it.
-Josh
At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked
I can just picture this situation, these FBI agents were probably sitting there thinking "wow, this hacker dude is hacking into the site right in front of us, we've really got him now. This is too easy!".
Seriously, if an organization such as the FBI doesn't even have the know-how to tell the difference between "hacking malicously" and "letting a company know they have a security problem", then their authority should be taken away from them - unless they can prove they actually know what they are doing - otherwise, we have a serious problem. You can't give someone so much authority and power to investigate crime when they know little to nothing about what they are supposed to be investigating. Thats scary.
I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.
Maybe we DID take the blue pill. You wouldn't remember anyway.
Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.
Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.
They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.
They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.
If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.
There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.
So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".
As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"
He recommended that I call the Detective and state:
"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".
Total cost for a real attorney : $0.00
I was never arrested, charged or contacted again!
Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
I've had friend fired from high paying jobs for doing the same thing inside of the company that they were working for at the time. You just don't point these things out by yourself.
Yeah, it's fucked but that's how they think and work.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Now if we can just get all the crackers of the world to start phoning the System Administrators of the systems they crack, we'd be all set!
--It's Pimptastic!--
He should've warned them in an old-fashioned stamped letter. The only private means of communication, until the NSA finds out how to trawl them for business information too.
This is like calling a neighbor to tell them that their door is unlocked, and being arrested for breaking and entering. In other words, this arrest does not enforce the norms of society, it gives them the finger.
There is a serious gap growing in technical knowledge between the folks who run society and those who live in it. Stories like this suggest that the gap is growing so great that our leaders may no longer have the moral authority to enforce laws, since they are no longer capable of understanding them.
I'm reminded of the story about a journalist hauled before a Peoples' Court. The judge sentences him to 20 years' hard labor because he published an editorial calling the local Party boss incompetent.
:)
The judge goes on to explain that one year of the sentence is for counterrevolutionary thought. And nineteen years for revealing state secrets.
Amazing how we've created our own Cultural Revolution. I'm waiting for the current administration to order all the college students out to work the winter wheat harvests.
The DOJ prosecutor's letter to Mr. West was quite revealing.
"Also the government would be willing to resolve this matter at this juncture if you agreed to plead guilty to one violation of Title 18, United States Code, Section 1030. As part of the agreement the government would stipulate that your sentence should be probation. Please let me know, in writing, as soon as possible, whether or not you wish to resolve this matter pursuant to plea agreement."
To let him off with probation, no fine or jail time whatsoever, is DA-speak for "We've got an incredibly weak case that might not clear the grand jury."
This is the way most cops and prosecutors act, whether it's a traffic ticket (in my case), or a so-called hacking case.
Everyone's guilty of something in their minds. In my case, I was profiled, stopped because of the way I looked. I sat in my car for thirty minutes while they ran me through just about every database on the planet, looking for something on me. I'm a nice guy, there's nothing on me. Then they tried to stick me with running a red light. I complained so much about that, the cop on the scene decided to do me a favor and gave me a less serious ticket, one for ignoring a traffic signal. The cop wasn't doing me a favor, she was covering her ass. I decided to fight it. In court, the prosecutor called me outside and tried to cut a deal with me. If I pleaded guilty, they'd waive the court costs, saving me about a hundred dollars. I said no. When my case was called up, they declined to prosecute. The case was dismissed. I wasn't guilty, they knew I wasn't guilty, and they still tried to stick me with the ticket.
This is a tiny, tiny incident compared to Mr. West's, and I only tell it as an example of prosecutorial behavior. Sheldon J. Sperling's office is trying to get out from under a bad case. Mr. West should expect more pressure to plead out in the days before the grand jury convenes.
Should Mr. West testify at the grand jury hearing? If it were me, I'd do it. Here's why.
The offer of a plea in Sheldon J. Sperling's letter is a standard tactic of prosecutors with a weak case. It might seem like a quick-fix now, since there's no jail time and no penalty, but such a conviction might damage his employment opportunities in the future.
He should look around for a cheaper lawyer, they do exist. But if he can't find one, the $10,000 is a good investment in the future. Only if he's feeling very, very brave and confident should he go without the lawyer.
If the facts are as he stated, there's a good likelihood that the grand jury won't hand down an indictment. This is sometimes hard to tell, since a few grand juries are led by the nose, while others are independent of the prosecutor. In an ordinary case, the defendant's appearance might hurt the chances of its dismissal. The prosecutor might use the opportunity to put on a show, browbeating him into looking guilty. On the other hand, this is about a technical subject. Mr. West has the advantage over the prosecutor. If he thinks he can easily and simply explain the technology and his actions without getting rattled by the prosecutor, he should go. I would.
Mr. West, if he thinks he's able, can derail this process at the start, avoiding thousands of dollars in legal fees and a year or two of worry. Me, I'd go for it.
report it anonymously...
For anyone interested in reading the law under which the prosecutor is planning to charge this guy, it is here
If the details of the story are correct, there's no way the DOJ can win this case, as all of the provisions under the law have to with intent to defraud or demonstrable harm having occurred. But, as others have pointed out, the details are little sketchy.
It's just NOT the same thing.
Should I modify your computer? Heck no.... I shoudln't, you are absolutely correct about that.
However, simply trying to connect to \\blahblah\c and having it work is hardly 'breaking in'.
No, I woudln't break into someone's house just for fun. But, let's say I was walking down the street, and I saw a shopkeeper locking up for hte night, but noticed he didn't shut the door. I'm going to be a GOOD citizen, walk over, see if it's just my imagination, or if the door is actually open, and if it IS open, I'm going to go TELL hima bout it. I don't expect to be prosecuted for breaking and entering or trespassing; I expect to be told 'thank you'.
I think that Brian never read slashdot, otherwise he would have learned from previous articles that he shouldn't do something like that.
Be nice and you'll go to Jail for free, I mean what more can you ask for?
Well this article bothered me until I realized that I AM PAYING FOR THIS!! If the FBI guy working on this had been fired a few months ago, the whole country would have gotten an extra $0.000002 on their rebate checks. (Probably less than that.) My letter to the guy at the bottom of the article simply said "Stop wasting my money." After, of course, referring to the case.
Then to avoid prosecution or commute his sentence they will have a forced participant in their system when some big problem that they can't solve pops up. Book 'em, then use them, then throw their life away. It happens on the Sopranos, and in real life only differently. Once they have you as someone that has done something wrong, even in the slightest, you're screwed.
Turning in your friends is a common, everyday, police tactic that is used constantly in all departments.
OK take this as a lesson, next time you find a security hole, to hell with being a nice person and alerting the victims. Just do as much damage as you can and take anything you can. I mean, if you're gonna get caught anyway, why not at least have a good reason to get caught.
Sadly, it looks like a good policy to follow these days is to NOT help people until they come begging for your help, and then, charge them handsomely for it.
Strangely, though, unklike most other countries, you can have a choice on your occupation, and you have decent property laws, and you can carry a weapon for self-defense if you want to, and you can move out if you're a pinko that has no idea how good the USA really is.
Obviously, the more the government wants to crack down on "hackers" the more protections people who spot security holes and such need. This reminds me of First Aid protection people get, in an emergency you can apply first aid and you cannot be sued for screwing it up.
It would be nice if someone wrote up a bill giving those who report flaws the same protections.
So the lesson we learned here is to send security warnings like that through anonymous E-mail.
To make an analogy- if I walked by your car in a mall parking lot and noticed that the manual lock button for the door made it look as if your car perhaps was unlocked. Then just to make sure I opened your car door. I do not take anything from your car, I just note the security problem and close the door. It was more than likely that you did not intent to leave such a hole in your personal security to allow theft of your car or the valuables inside. Then I flag you down and tell you that you should lock your car. You would probably be greatful that I helped you protect your property. If the same rules that are being applied to Mr. West applied here I would be charged with Grand Theft Auto.
This is the FBI we're talking about here -- the same agency that burned over a hundred men, women, and children to a crisp in Waco as a PR stunt.
Their tactics here reminds me of similar tactics they used to arrest another geek I know, Mike Scott, on trumped-up charges. They contacted him under false pretenses for a job interview, and when he showed up at their office they arrested him. He's been in a federal prison for about two years now, waiting for his hearing, despite its being obvious to all that he doesn't belong in prison.
Even when he gets out, it's going to take him a while to recoup his losses -- the FBI stole his vehicle, his firearms, his computers, and some other stuff, and realistically he won't be getting any of it back. Fortunately he's a real whiz of a molecular engineer, so finding a high-paying job probably won't be any problem. (In fact, it was because the company he worked for refused to pony up over half a million dollars in royalties for the profits they made off his patented technology that they sicced the FBI on him in the first place.)
-- Guges --
This guy didn't violate any norms of society, although some people think that hey may have violated some laws. Norms are things that most people believe (ie kiddy porn is bad, don't steal, go to highschool, etc.), and laws are specific documents listing actions that you must or must not do according to the government.
He most certanly didn't violate any norms.
ReadThe ReflectionEngine, a cyberpunk style n
The local newspaper claimed that the competitors ISP had logs with hundreds of attempts at known security vulnerabilities.
If this is the case, he's really just getting what he deserves, if this is not the case, the competitors ISP should be sued for defamation/slander.
yes he did.. cwis internet.. I suspend it would be cwis.net
It's things like this, the DMCA and other such horse shit that make me hate living in the US.
I'm really starting to think about moving somewhere else. Can anyone name some places where such nonsence isnt happening? English speaking, 1st world countries prefered.
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
From a NY Times article, http://www.nytimes.com/2001/08/19/technology/19WIR E.html, about a man who inadvertantly 'cracked' a hospital 's wireless network:
On the other hand, he also knew that with "sniffer" software that he uses to analyze computer networks, he could monitor every message and file passing through the hospital's wireless system, presumably including sensitive patient data entered by nurses via the wireless-equipped laptops they carried from room to room.
"Fortunately, I'm married to a lawyer, who advised me against looking," he said.
I think the moral here, is not, as some cynics have suggested, "If you find a security hole, don't report it", but "If you find a security, don't 'test' it".
Here in Australia the reputation of the U.S. FBI is formed solely through movies and television. So you can understand how someone like myself (who lives in Queensland, Australia) has the impression that the FBI like to barge into places and get convictions.
..."
This story has made me think "maybe the FBI are all crazy
"Oh, you think your innocent of the charges? Well, that can be decided in court... welcome to the concept of innocent until proven guilty".
I'm sure that the federal officers involved in this situation were thinking "if this guy didn't really hack, but honestly found this misconfiguration by mistake, his attorney will argue it in court and he'll walk".
FAIR ENOUGH? Simply inditing someone doesn't mean their definately going to jail, but they get inconvienced to the max. $10K to prove you're innocent? More than a year of your life filled with stress, wondering if you are going to spend a few more years under probation or even jail?
I'm sorry, but that is crap. Just because these feds didn't know jack about the situation (I can only conclude that the didn't fully understand the situation as anyone that does understand the problem wouldn't want this guy prosectuted) this good samaritan goes down.
And no, I am not anti-American. Federal law enforcement in Australia isn't too far behind. Prosecution hungry feds like to run amuck here too.
"Yeah Tommy, before Zee Germans get here
If the FBI agents are from that area, they probably can't even tell you the difference between the computer and the hard drive much less what the heck "cracking" is.
I've reported it to the news agencies here in Oklahoma City. Hopefully sheading a little light on the matter and making it more public will humiliate the agency into dropping charges.
Is entry through an unlocked door illegal? I can't tell you the number of times I've opened unlocked doors to stick my head in and yell. Only for people with big back yards on days they are likely to be in them or watching TV in the basement or upstairs, though.
A correct analogy would be putting a note in the mailbox, which I might have done, if I was carrying a notepad. Tampering with postal equipment is a serious offense, so please just sign me,
Federal Felon
Seems that "entrapment" can pass for "due process" nowadays. Our rights were fun while they lasted.
"You spoony bard!" -Tellah
I have this little script that was linked from /. a few days ago (dasbistro.com) with a Code Red infection detection that emails a supposed-to-be-concerned person about it.
After all those emails sent, I would probably be sentenced to death if I were to live in Texas.
Mea culpa. Me go get coffee now.
the person who responded before on this subject was not aware of the fact that this man does win by takeing a felony plea in the short term.
.. worse than MS WIN 95.
it seems as if fm6 is saying this from the eyes of the prosecution/government, and he is totally right. The law is the most screwed up complex system there is
Seriously. In my expierience with the law, ( I was young and had a very fast car) I have found that telling the truth, even if it is something that is right, and honestly intended, will get no where.
The best thing to do is to plead not guilty, and claim that the did this on a mock up machine, using the same configurations.
It sucks, because it weighs on your concience swearing on the bible, and flat out lying. However look at the options. Who wants to pay with thier freedom (financial, spiritual, or physical) With spiritual, there is a possibility of forgiveness.
or look for a lawyer who reads slashdot, and is willing to do this case with payment if found not guilty.
I wish hime the best of luck.
Every day I grow more disgusted.
pr0n - keeping monitor glass spotless since 1981.
(/me believes there is something seriously wrong with SlashcodeXP and its handling of HTML)
/etc/passwd constitutes a cracking attempt!
/etc/passwd, then taking one of the username/passwords and testing it on the system as a login constitutes a cracking attempt."
As tempted as you may be, there is nothing grammatically incorrect with "The quote in quotes...", it just sounds funny.
As for my original reply - For your benefit, so you can finally see how flawed the logic in your original post was, this is how it shows up in either of my browsers and how it is marked-up in HTML...
[italics on - your words]
Next you'll be telling me that accessing
[italics off]
[my words]
Don't be stupid, use an analogy that makes sense.
"Next, you'll be telling me that accessing
Care to re-think your argument?
[italics on - your words]
Let's adopt the same philosophy the FBI and the prosecutors have - if we are wrong about this one, they are guilty ten other times that we can't prove.
[italics off]
[my words]
Err... paranoia anyone?
It's definitly more of one than the article below it..
Why won't slashdot let me change my terrible username
Several months ago this (or an exact situation like it) was an "ask slashdot" entry and many slashdotters said NOT to notify the company nor the competitor.
If I recall correctly the situation was that you lost a contract to a competitor, the competitor did a marginal job, and left the site open. It appeared to most slashdotters that your pursuing this was sour grapes in an attempt to win back the client and make your competitor look bad.
Telling the client was like telling a mother that her baby is ugly. In essense he made an ugly choice.
Over and over the advise was not to even go to the site and definitely not to notify anyone because of this very thing.
Oh what the ego can do to us. A site lost to competition is a poison site.
Even an innocent visit to a poison site may not be defendable if the site is cracked later and your addresses are found in their logs.
Life is about choice. You chose a most difficult board postion and I wish you well in the end-game.
Sanat
And in the end, the love you take is equal to the love you make
slashdot needs killfiles.
I am glad that you are watching your post, and replying to the comments. This makes messageboards like slashdot a true place for wonderful freedom of conversational speech.
I happen to agree with you that people shouldn't be going In. An e-mail to me notifying me of my problems and appropriate fix would be the way I would want it too. If someone patched my system and I never knew it (or not for 25 years..... maybe) we that is ok too, when the fix involves something as simple as the "turning of the headlights" example. What is important is that if the car (computer) is locked (I.E. requiring more than a quick patch from software manufacturer/ organization, or more than 1 line of code), that the person who notices them find a way to alert the owner of the car (computer)
>> I agree. Though there is probably some amount of overreacting on the government's side, trespassing physically or digitally typically is illegal, regardless of intent. <<
I remember a quote once from a fed spokesperson saying that the gov does not have enuf resources to go after much except the largest of crimes.
If this is the "largest of crimes" on their to-do list, then the world must be a pretty safe place.
Table-ized A.I.
Ha, this person has never been charged, so he has never gone to court -- let alone had a "not guilty" verdict.
It's pretty hard to have any jeopardy of any kind until those three things happen -- charged, court, not guilty.
The prosecutor is standing in front of a mic, and talking out of his cake hole.
The prosecutor knows two things :
One, computer crime gets in the news. That means he gets his picture in the paper -- great for that DA job he'd like to settle into after a few more years. Bragging rights for his offspring, if nothing else.
Two, they have a weak case, and anything they can do to get the kid to cop a plea lets them mark it down in the books as "solved". Every "solved" case increases funding and gets him a better shot at juicy DA position.
This is all so predictable. Please see my other posts about when to cooperate with law enforcement, and when to stop and shut your mouth!
Quick recap :
1) In America, we have free speech. The police, the detectives, yourself. There are things any of you can say, within bounds, at different points in the process. Without charges, the police can play pretty fast and loose with their statements.
2) One you have been read your rights NEVER speak to anyone about the case without your attorney present!
3) Once charged, you have a right to have an attorney present during questioning, representing you. If you cannot afford one, one will be provided. It's the law.
Help the police, they catch the bad guys. But once they start looking at you, shut up and stay cool -- you are up against trained pros.
Remember, when a lawyer gets charged with a crime, they shut up and get a lawyer! When a police officer gets charged with a crime, same thing! That should tell you volumes about how the system works.
My gut feeling? Our boy here is not being totally honest about his activities. He has an attorney, but he has not been charged. I wonder why? He could be sniffing at a defamation lawsuit, his attorney may be asking questions, requesting records. The FBI, newspaper, and DAs office might be mounting a counterstrike to scare them off.
The more I think about it, I keep wondering : why has this guy hired an attorney, when he hasn't been charged with a crime?
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Mixmaster anonymous remailer network (sigh). It's a shame that you can do right in the United States only by remaining anonymous.
Send mail here if you want to reach me.
Send mail here if you want to reach me.
Anyone with a copy of frontpage and a large set of balls attempt to do what West did to the paper's site? I think that it's completely possible that the daft sysadmin at his competition still haven't fixed the hole...
Everything would be for purely informational purposes, of course...;)
====
"white bread, redneck, chicken-shit, motherfucker" -- Dr. Dre on "Straight Outta Compton"
Now anyone can become a cracker just by clicking edit on the wrong page. Lets burn this one shall we? Or maybe press him until he admits he is a evil cracker! Then again we could always go with the standard hold em in jail till he admits his obvious guilt! You are all dirty criminals, just because you have a computer and know how to use a simple UI, and all you programmers, expecially the open source community, will burn at the stake for your crime of goodwill!
So how many years do you think it will take to end this madness, and how will our children look upon this time. Surely it will be with shame...
Nexion
With news organizations like CNN slashing staff, the remaining staff may be too overworked & disgruntled to maintain security. Laid-off staff may have passwords and know the system inside and out. Those who control the media are tight with money, and info security is not a profit center like advertising sales. But on a news web site, leaving it unprotected means anyone can create their own headlines!
Local:
"Mishap at Water Treatment Plant poisons city water supply, tap water now flammable, shut off all water valves!"
Election '01:
* Candidiate for Mayor Observed Molesting Boy Scouts
* Police Chief says "No more black crime", ordered 100 ropes, having them attached to lampposts by Dept of Public Works.
Business:
"New Company Releases New Product, Stock Prices Shooting Up, Wall Street Analysts say 'Buy Now'"
Or just randomly deface the pages:
"All Your Base Are Belong To Us!"
"LIMP BISKIT F&*&IN RULES!!!!!!!"
Or actual stories may be modified in ways not apparent. A city council meeting is reported "cancelled" and less people show up.
People running for public office occasionally overstep the bounds of the law. Possible this would include modifying a news website just prior to election? Possible an elected offical would know how to contact someone with the skills to do so and pay them to do it anonymously and untraceably?
When reading the news on a web site, can no longer assume it was not modified without the news organizations knowledge. In fact a news URL may be as bogus as a chain letter. When a security breach is publicized some readers may lose faith in that website and try the competition's web site.
Do newspapers firewall their web servers from the machines the stories are composed on? If not it is possible the content of the PRINT edition could be messed with. And whatever is printed in the paper it must be true.
This seems to be a case of the God complex. I have known people who, when their mistakes are brought to there attention by someone, think that the person is targeting them and, thus, they must be brought down. I am guessing this is the type of guy he was dealing with when he mentioned the security flaw.
:)
Seems like a better why of bringing up the security problem is to post it all over IRC and have other people post porn on the website. They'll understand the security flaw and look stupid, just like they should.
Ferengi Rule of Acquisition 285:
No good deed goes unpunished.
Old news...
/DA is more likely to go with filing the case if it gets public attention]
Stuff like this happens all the time... it just does not make it to slashdot or the mainstream media since in most cases doing so can harm the "defense"... [a prosecutor
One case that I know of happened in 1997 to a student that went to the same school that I did [www.wtamu.edu] (he worked in the computer labs, and was a dorm computer assistant at the dorm I was in).
He was charged with breach of computer security (which he still denies to this day; case was dismissed, but he is still banned from the campus) when a local ISP [www.arn.net] had some web pages defaced.
Turns out that someone used a security hole at the university to break into the ISP.
Unfortunately for him, it was one of the same holes that he had told both the university and the ISP about before they were used. (he knew the admins of the ISP, and he used to work for the computer labs at the university).
The isp and the university had to find a scapegoat for their troubles... and he had unwittingly provided them with enough information for them to blame him for it...
so... the lesson learned by him and others at the university? Dont show your talent or else it CAN and WILL be used against you....
The way the article is written tends me to see it as a genuine story because it is a mirror image of hundreds of such similar stories.
The article shows something very familiar that can be seen among many enforcement and security services around the world. No it is not computer "ignorance". It is using your badge and position to show how important you are and to get some extra premium for "excellent service". You live in some peripherial corner of some megapolis or in some lost land of techocivilization. And you get a case near the edge of the law. So a little bit of grease and things slip to the place where you become sound and famous. And maybe you get a chance to quit this greasy and smoky neighborhood and get a seat in some shiny office at 30th floor.
Here we can see that FBI officers are as human as their colleagues in other places of the world...
I read through the pdfs on the linked site there, and if they are legit .. sounds like someone is .. well full of shit .. I don't know .. but the way I look at it if they are wrong on a fundamental issue like this (quote follows).
.. and both serve the purpose of fetching a page, and just as I will click the "Submit" button on this reply I will attempt a "POST" request on slashdot. Oh no I'm trying to hack slashdot, coz I'm not the admin .. bah .. my point is made .. what's up with that? they really should get their facts straight.
---
[...] different attempted actions on the host computer including "GET" requests indicating that a file has been requested for download, or "POST" requests where a file has been provided for uploadto the webpage. Generall, the webpage administrator is the only person who would attempt to "POST" files to the web page.
---
i know my HTTP protocol enough to know that get and post are essentialy the same
Sure, oh yes. Site's content is obviously a copyrighted material, and site's defences are to protect this material. Which makes Microsoft a company that produces technology and tools to circumvent the copyright protection. I'm holding my breath to see Ballmer arrested by FBI agents next time he goes out of Microsoft headquarters.
-- Si hoc legere scis nimium eruditionis habes.
Someday, when everybody finally gets fed up with how OUR goverment, of which WE allowed to expand uncontrollably beyond their britches.
Will revolt, making the civil war, look like a backyard barbeque.
Because any script-kiddy reading that article will probably get a hard-on, hacking in there. And they probably won't give a call in advance or leave their address and office hours with the FBI. Well, if i found a security hole on their site i sure as hell wouldn't inform anyone about it, and surely not them.
I really hope their zero-tolerance-policy blows up in their face and leaves them with the shit they deserve, so they serve as a bad example. With their action they only scare law-abiding folks from reporting security-holes to them, but no crackers who stand on the wrong side of the law anyway.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Wow - the american government seems to do everything possible to stop people helping each other.
It's forbidden to point out security flaws in commercial software (adobe!!)
It's forbidden to check software you _buy_ for security flaws, even when not telling anybody
It's forbidden to tell someone that they have a problem (or at least you shouldn't do it because you could go to jail for it).
I always though RMS and the FSF are taking it too far with their political opinion.
But are more and more things like this happen, I am more and more convinced that they are totally right. It's a moral obligation to help others, and anything that try to stop this, being the DMCA, other silly laws, or propritary software is just plain WRONG.
I live in austria, and things aren't this bad here, but they will certainly get worse.
Obviously you were reading them, as I was too. I love the trolls. Slashdot would not be the same without them.
...no good deed goes unpunished.
...
Or, as my grandfather, God bless his soul, used to say, "facerea de bine, e futere de mama"
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
...I haven't been to the U.S. of A. in years, and with the DCMA in effect, I'm not coming back until democracy is restored.
I have the same exact thing in a porn file I downloaded from Filetopia(www.filetopia.com) just the other day. Quite a turn on really. The filename is "~mx~Sylvia Saint (Bathroom Threesome)(1).mpg" if anyone is interested in downloading it.
I believe you are very, very late. First post no longer exists! In fact, you are post number #2172368. Which as even dopey old you can see, is in no shape or form even close to #1.
Thankyou. Please come again. And don't forget the towel or dunny paper to wipe up the sticky mess.
Stream of conciousness posts are fun. We should try this again sometime. And yes, there is more than one of me, or at least that is what the scales tell me. Gotta love talking scales. At least I know I have a friend if I need one. Which I do.
Good day, good night, and good wank to you.
I believe you just found a bug in slashdot. You can put goatsex links in your sig and it won't put [somesite.org] following it. How long until the trolls register accounts just to exploit this effect??
Don't tell it - Sell It.
The Real Lesson here is. Don't do a good deed. Turn a good profit. Their competition would love to pay for information about security holes.
You got to love Gov. that encourages industrial espionage.
- - If you are reading this, I'm not having a productive day.
Let old Frank know how you feel: governor@gov.state.ok.us
I do not fear computers. I fear the lack of them. Isaac Asimov (1920 - 1992)
However, he has the text of a letter received from the US Attorney for the Eastern District of Oklahoma stating that
So, they're presumably slightly beyond the "fishing for an admission" stage. I suspect that having an attorney really would be a good idea for him.fencepost
just a little off
It's not his fault you're too stupid to look at the bottom of the screen before you click on a link. (Which reminds me -- what is all this shit about "for the goat.se fearful" that leads people to write out the link? What browser are people using that DOESN'T show the link when your mouse pointer is over it?)
What the hell is the deal with all of these idiotic analogies? I mean, come on. What happened is what happened, we should all be able to understand what happened without these preschool metaphors.
Just stop this right now.
ReadThe ReflectionEngine, a cyberpunk style n
Threaten them anonymously. Ask them for a million dollars or something, see if the hole goes away.
As a cop who read the article, it sounds like he did violate the law. It said that he tested the security holes to make sure they were there. Well under federal law and most state laws unauthorized access to a system is a crime. So despite his good will, he did technically commit a violation.
Should this be prosecuted? I dont have enough information to say. Is the prosecutor charging the right statute? I have no idea.
As someone else mentioned, why didn't he contact the website host or the the sysadmin before going plunking around in their system (even with good intentions)? I am not saying this should be charged, just trying to interject a law enforcement perspective about the law. Because the law is about accessing something you aren't supposed to/that you don't have authorization to (in most laws of this type) and not about your inention while doing (for computer crime typically)
So this makes frontpage illegal h4x0r tools?
If you are flying from say, Heathrow to Mexico City, connecting in Toronto (I made that up), standard practice is that you do not have to go through canadian customs & immigration in Toronto, because you are not actually entering Canada officially; you are simply catching a connecting flight.
On my trip from Amsterdam to Costa Rica, connecting in Newark, they made us collect our luggage, go through customs & immigration, and then hand our luggage back in.
Normally, an airport simply keeps you in a secure area between connecting flights if they are not domestic.
You seem to think I'm whining about Customs & Immigration because it's 'annoying' or something.
Dude, let me tell you. If I'm travelling to the United States, then I fully expect to obey their laws and go through customs & immigration, etc etc.
But when I'm flying to central america, and my flight just happens to connect in Newark, and I'm not told until the last minute that I have to go through US Customs (which is NOT normal for a connecting international flight).. that disturbs me, because I may be carrying things in my baggage that I am not allowed to bring into theUS (But are perfectly legal where I came from and where I am going), or (though it's not the case at this point) I may for some reason not be permitted entry into the US.
And you are just the type who says 'You don't like it in the US? Look at countries with REAL problems'. Yep. Let me tell you.. if the US continues to erode it's people's freedoms as it has been, you will end up the same way.
Merriam-Webster (addmittedly not a Law dictionary) disagrees with you:
Try "trespass", it's closer to your meaning:
In Wisconsin, at least, the maximum penalty for trespassing is a $1,000 fine. If you are a lawyer, figure out for yourself if that qualifies as being a felony or not; it's not worth my time.
Meanwhile, I've done web design and his initial trespass, which you assert was "obviously a felony", probably happened even before he realised that there was a problem. It's pretty standard practice to download the page you're going to add content to (he was under contract to make a banner ad to place on the site), especially if you don't have access to the server it's on. And if he hit "save" instead of "save as", Front Page probably saved it to the web server before he even realised that anything was going wrong. This happened to my team at work when we released an application for our users (who all do web design themselves) and they inadvertently started editing our asp pages that were only supposed to be web forms...
According to your post, at the point he hit save he'd already committed a felony and should be convicted by any right-thinking jury. Perhaps he went to far in uncovering the problem, perhaps he contacted the wrong people, but at LEAST argue it on a decent basis. Please.
If this case is to be prosecuted, it's because the PDNS are asking the police to do so and cooperating with them in the prosecution - it's not like the DMCA cases where a company can make an accusation and the Feds run with it even after the accuser backs off. The paper needs to understand the moral position they're in and do something about it. Among other things, that's a job for letters to the editor that really *are* to the editor...
Their advertisers ought to understand as well. The web page lists a Directory of them. Most of them aren't technical people; it's much better off to do a friendly "Hey, this guy tried to help out the paper you're advertising in and the publisher's gone ballistic and trying to get him jailed" rather than geekish flamage. Most of them don't have email addresses listed - most have snail-mail addresses, and while some have phone numbers, I'd advise against bothering them that way.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
By telling the customer that they'd hired complete fuckups, and that he knew how to fix it, and was capable.
-- Ender, Duke_of_URL
While I agree with you on most points, what you're saying sounds an awful lot like blaming the victim. "He shouldn't have gone down that dark alley last night, that's why he was mugged." "She should never have dressed so provocatively, that's why she was raped." "They should never have connected that system to the Internet, that's why they got hacked."
The problem is not really incompetent system administrators per se. Most of them know their own lack of knowledge and are happy to have their shortcomings pointed out to them so they can do something about it. It's incompetent system administrators who are bent on staying incompetent. It's these kinds of people who prosecute helpful souls who point out their incompetence. They shoot the messenger who points out to them their own failings and calls for them to do something about it.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
would be the word getting out, "use frontpage, go to jail." It would be pretty darn easy to commit the felony of selecting edit from the menu by accident, so I just deleted frontpage from my HD so as to protect my ass, its safer just to use notepad from now on.
Stupid Sysadmin+Stupid Law Enforcement+Stupid Software=Brian West+Jail
Where do you want to go today? Certainly not jail...
No, seriously, I just come here for the articles.