Slashdot Mirror
Report Security Problems, Face The Consequences
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?
But seriously, this guy deserves a medal, not time in jail, or fines. If a worker at a car company knew of a serious fault in another companies car, and didn't come forward, he would be guilty of murder (assuming people died from the flaw). If this guy didn't come forward, he would be partially responsible for the damage caused by the security flaw.
I doubt this case will go that far, though.. I just wish the government would realize how fucking stupid they are being.
It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.
Talk to the techs.
Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?
Trolls throughout history:
Jonathan Swift
I'm going to explain this very, very, very simply. Say if whitehat A where to find a security hole in your companies computer, and would notice you. And you where to fix it. you thank him and (possibly) send him a small check.
Now... it appears that you would rather have the white hat see that your computer is vulnerable, not notice you because he doesn't want to go to jail. And start programming something else. Then, a few weeks later a script kiddie comes by, sees a vulnerable machine, grab all the passwords. and deface every computer on your network he could find.
Take your pick!!!!!
Sig you!
FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?
I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.
Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.
You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.
But this guy didn't even do this.
What he did was walk by the house and see the front door hanging open when no one was obviously home. He then walked up to the front door and saw that sure enough the door was open. He never went inside. So he came back the next day and said heh, your front door is open.
No one in their right minds would arrest a guy for that.
The ultimate network admin tool needs HELP!
Interesting side thought I'v had.
What about good samaritan laws?
Can one be prosecuted in some states for finding a problem and NOT reporting it?
----- LoboSoft specializes in Digital Language Lab
It doesn't say that all of them came from Brian West, does it? I'll bet a bunch of them were just Code Red....
The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.
Like what? index.html? Or dir.gif? favicon.ico? Or maybe 4 shift-reloads of a page with 50 gifs?
I have yet to hear any sane theory as to why Brian would intentionally probe a website -- knowing that his accesses would be in the server logs -- only to phone them up and say that they have a security weakness. What would his motive be?
Occam's Razor applies. The simplest explanation is Brian's. Even if he was probing for weaknesses, he still did the right thing when he found them.
I'm a bloodsucking fiend! Look at my outfit!
Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.
Don't post innacurate information
If you do, I swear by my pretty floral bonnet I will end you.
It's not likely, but it IS possible that the lack of increase in crime is a result of the increase in budget.
What's this Submit thingy do?
There's always another side to the story.
The business owner should have been grateful upon hearing, "Hey, there is a massive security hole in your web page. Here's how to fix it."
Instead, he felt threatened, recorded the callback, and called the police. Why?
That's what I want to know. I want to hear the tape.
Free the tape!
I am for the complete Trantorization of Earth.
A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.
The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.
-Nuke the moon
Or better yet, contact the FBI and let them take care of it, even if a phone call to a competent admin could have fixed the problem.
I'm not saying that's what happened, just that you can't be sure that it's not what happened. People need to find out as much as they can from both sides of the fence before contributing to a "defense fund".
In the affidavit, it says:
"At 19:50 a user logged in to the PDNS webpage edit program from arky.voltage.net using the user identification and password of CRTI employee, James W. McCoy Jr. An [sic] FBI interview of Mr. McCoy determined that he did not access the PDNS webpage edit program on Februray 1, 2000 and did not authorize anyone to use his user identification and password."
I think, by the letter of the law, that that's wire fraud.
Your point about state lines aside, the words "protected computer" jumps out at me. From what I've read, I can only draw the conclusion that the computer is not protected and that, in fact, the suspect in this case was contacting the other company to inform them of this fact. Sounds to me like this FBI team are just looking for something to do to justify their existence.
If you make an anology, you gotta make a correct one:
(Note: In real life, thie might constitute trespas. However, there's no such thing as digital trespas. In real life, you'd probably just call the police.)
Claus
First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.
If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.
Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.
All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.
How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.
This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.
As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?
-Restil
Play with my webcams and lights here
It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.
How is what he did sensible? He works for company X. On day 1 he finds a misconfigured server run by company Y, his direct competitor. He spends this day poking around two of the sites hosted there, testing out usernames and passwords that he found on at least one of them. Does he tell anyone who could fix the server anything? No. Not until the next day does he let anybody know about it (assuming he didn't share the info with his buddies), and when he does so, does he call the server operators? No, he goes to company Y's customer and tells them. And he doesn't tell their IT department, he tells it to a newspaper editor. He's not some good samaritan, because he never did tell company Y about the problem with their server. He was still showing people the hole 10 days after he found it.
The sensible thing to do, which I've done a few times, is as that the instant he realized that there was a hole in the server, he should've immediately quit playing around with it and immediately called or emailed the customer or company Y. That is, if he really wanted to wanted to be a good samaritan. If he didn't want to be a good samaritan, that's fine, he doesn't have to call, but you don't sit there poking around the hole after you realize that it's there.
Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.
Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.
Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.
Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.
The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.
So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.
Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.
I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.
It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.
I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely. I have got countless Code Red probes in my Apache logs and have seriously thought about trying to warn those people (it's just there are too many of those).
There's no way that could be illegal.
I won't be trying to "verify" if the root.exe exploit is available on those machines, since that could give me some serious trouble of someone were to pursue a claim against me.
No matter what my intentions are, that would be gaining unlawful access to someone else's machine.
The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.
Suppose a server I am sysadmin of has a security hole. You're trying to help me and being a white hat hacker you enter my machine and take a good look around and after doing so you create a nice summary of problems and even the necessary fixes.
At first sight, that really is commendable.
However, since I don't know you or your intentions can I safely assume you ment no harm and did no evil things to my machine? Should I take your word for it? For all I know you're just helping me to patch up my machine so no other evil hackers get in and you are the only one that is able to get into my now mostly-secure-but-now-backdoored-machine.
The consequence of you trying to help me is that I would have to retrace all your actions on my machine, which might not have been necessary if you didn't try to "help" me by gaining access to my machine without getting asking me in advance.
Surely I'd have to do a full security audit anyway, but now there is more information in the logs to be checked out.
No matter what your intentions are and how stupidly I misconfigured my machine, your attempt to help me just cost me a whole lot of extra time and downtime.
Informing people is fine and totally legal. Gaining access to their machines without their consent is illegal and rightfully so, as far as I'm converned.
The law I would like to see is one that holds people accountable for problems caused by those people not securing their machines (Code Red anyone... think of all the bandwidth wasted by that little prank). Better still, don't make it a law, ISPs could take it up in their conditions they are allowed to pull the plug when such problems aren't fixed within a certain period!
So, if you're aware of someone taking increasingly large doses of drugs, just stand by and let them OD?
Yup.. Helps clean out the shallow end of the pool..
Death and poverty like me so much, they've brought friends!
I would have probably done the same thing and never even concidered that I could get in trouble. My intenstions and actions were all good.
Now as mentioned Joe-6-pack will not understand this if the facts are spun a different way by a skilled and, IMHO, malicious prosecutor (who should know better but since 5-oh can't catch any *real* criminals they have to royally fark the innocent ones). I can see the courtroom now. This kid is screwed.
This is an important reminder, maybe our foresight will be a little sharper through his hindsight.
closed minded is as closed minded does
Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.
Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.
They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.
They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.
If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.
There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.
So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".
As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"
He recommended that I call the Detective and state:
"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".
Total cost for a real attorney : $0.00
I was never arrested, charged or contacted again!
Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
But since you've placed me in the "them" corner, let's look at a motive. How about... for money? The oldest motive in the book. Here's a hypothetical;
Don't believe everything you read.This seems to be a case of the God complex. I have known people who, when their mistakes are brought to there attention by someone, think that the person is targeting them and, thus, they must be brought down. I am guessing this is the type of guy he was dealing with when he mentioned the security flaw.
:)
Seems like a better why of bringing up the security problem is to post it all over IRC and have other people post porn on the website. They'll understand the security flaw and look stupid, just like they should.