Slashdot Mirror

← Back to Stories (view on slashdot.org)

Report Security Problems, Face The Consequences

Posted by ryuzaki0 on from the maybe-he-should-just-edit-the-page dept.

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

14 of 552 comments (clear)

  1. Donations... by hexx · · Score: 5, Informative

    Do Something About This!

  2. Re:this is not a new thing by Anonymous Coward · · Score: 3, Informative



    Even big stupid companies do it!

    Whistleblowers take 3Com to court over unsafe kit claim
    By: John LeydenPosted: 15/02/2001 at 18:43 GMT


    3Com is facing a multi-million dollar lawsuit from former employees claiming it knowingly sold unsafe products and conspired to file false police reports against them when they reported problems with its kit.

  3. Re:Not the whole story... by Anonymous Coward · · Score: 5, Informative

    I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.

  4. Re:Not the whole story... by whatnotever · · Score: 3, Informative

    Read the comments below the linuxfreak article. Brian explains it in a bit more detail. He did use a username/password, but he got it from a file served to the public from their site.

    And I think that the "hundreds of attempts" mentioned is just their normal daily load (their advertising claims to reach "over 1000" readers daily, and this is over a year later, right?). And if only *some* were trying to access these files and scripts, why even bother mentioning "hundreds of attempts" - that number is irrelevant!

    Basically, he did a bit more than click on "edit," but it sounds like he really did just find the hole and check to be sure.

  5. Contact Wally Burchett and the Poteau Daily News by pclinger · · Score: 3, Informative

    Mr. Wally Burchett has some serious issues, and
    the Poteau Daily News has something coming to them if they think they can get away with this.

    Everyone should start writing letters, call the editor, etc. From their Web site:

    Address:
    Poteau Daily News & Sun
    P.O. Box 1237
    804 N. Broadway
    Poteau, OK 74953

    Office Hours:
    7a.m. - 6p.m. Mon.-Fri.
    8a.m. to Noon Sat.

    Phone Numbers:
    (918) 647-3188
    (918) 647-8198 Fax

    Email:
    pdns@pdns.com
    publisher@pdns.com

    If you write letters, direct them to Mr. Wally Burchett.

    As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

    For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.

    --
    /. editors made it impossible to link to file:///c:/con/con in my sig. Please just type it in
  6. Re:Wire Fraud by mmol_6453 · · Score: 2, Informative

    Here's the law entry for what he's charged with, and Here's the reference for the Oklahoma wire fraud law.

    --
    What's this Submit thingy do?
  7. Per the fbi afidavit by WindowsTroll · · Score: 3, Informative

    he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.

    So, going back to the house analogy, he is guilty of going inside and looking around.

    The details of the affidavit are from Brian West's own web site, http://www.bkw.org

    --
    "Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
  8. wierd tactic - details of Title 18 Section 1039 by hillct · · Score: 3, Informative

    One item not mentioned in the article is the details of Title 18 Section 1030 which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

    The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.

    --CTH

    --

    --Got Lists? | Top 95 Star Wars Line
    1. Re:wierd tactic - details of Title 18 Section 1039 by emmons · · Score: 2, Informative

      Please, learn english if you want to write in it.

      "weather" is not the same as "whether."

      --
      Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
  9. Pick your analogy by Plasmic · · Score: 4, Informative

    In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read

    ENTER HERE -->

    TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?

    So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.

    We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.

    Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.

  10. [OT] Re:Who-hoo! Land of the Free! by locutus074 · · Score: 2, Informative
    Having formerly worked for an airline, I can tell you that the reason is because Frankfurt is the first stop in the country of your final destination.

    Think about it this way: Suppose you embark from Podunk, Idaho on your way to Frankfurt, with a connection in LaGuardia (New York City) each way. (Assume that Podunk Regional Airport has no customs and immigration facilities, but it wouldn't matter if it did.) On your way back, you'll go through customs and immigration in New York, because after New York, it's all domestic flights.

    It works the same way going abroad.

    --

    --
    We have fought the AC's, and they have won.

  11. Don't trust the Oklahoman - HORRIBLE REPORTING by lonesome+phreak · · Score: 3, Informative

    I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.

    --
    Maybe we DID take the blue pill. You wouldn't remember anyway.
  12. Title 18 Section 1030 by vulg4r_m0nk · · Score: 2, Informative


    For anyone interested in reading the law under which the prosecutor is planning to charge this guy, it is here


    If the details of the story are correct, there's no way the DOJ can win this case, as all of the provisions under the law have to with intent to defraud or demonstrable harm having occurred. But, as others have pointed out, the details are little sketchy.


  13. Re:Has common sense become less common? by Cramer · · Score: 3, Informative

    Actually, if it ever goes to court, there may be nothing to present. Unless he was aware the phone call was being recorded, the tape is tanted. If there was no search warrant, any materials collected by the FBI at his place of business is also tanted. If the agents didn't identify themselves prior to asking him to show them what he meant, that's entrapment. And of course, if he was never read his rights, ...

    While I certainly would agree, on the surface, this looks stupid, we may not have the full story. AND, accidental or intentional, he is almost certainly guilty of "computer tresspass". The "door" analogy is a little flawed... one cannot "see" that a password is not required without actually trying. Look at it more as walking up to knock on a door while blind-folded. Bascially, a locked door looks just like an unlocked door; you have to try to open it to tell one way or the other. And thus, the law is broken (bent, whatever.) Laws that apply to the physical world don't always have an equal in the virtual world.

    (The lack of formal charges would suggest nothing will ever come of this stupidity.)