Report Security Problems, Face The Consequences

← Back to Stories (view on slashdot.org)

Report Security Problems, Face The Consequences

Posted by ryuzaki0 on Saturday August 18, 2001 @05:09AM from the maybe-he-should-just-edit-the-page dept.

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

14 of 552 comments (clear)

Min score:

Reason:

Sort:

Re:Who-hoo! Land of the Free! by sbeitzel · 2001-08-18 05:34 · Score: 3, Interesting

This, from the only country that forces you to go through customs & Immigration even to handle a connecting flight.

No, Canada requires it as well.

--
Oh, go on, check out my job.
Not the whole story... by szcx · 2001-08-18 05:36 · Score: 5, Interesting

LinuxFreak:
The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.
Oklahoman News:
Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.
The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

With that in mind, let's not canonize Brian West just yet.
Re:Important lesson by atheos · 2001-08-18 05:40 · Score: 3, Interesting

It appears to me that he didn't want to inform the security flaw to the competing ISP.
It looks to me like he simply wanted to sway the customers over to his company, and use the security flaw for the reason.
ya ya ya, I'll get modded down for this, but I do think there is more to the story.
He should have contacted the other company, and the FBI should do better things with their time.
I once did something like this...But won't again! by tjgrant · 2001-08-18 05:42 · Score: 5, Interesting

Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.
I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.
They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.
However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

--
Stand Fast,
tjg.
What to do? by yogensha · 2001-08-18 05:43 · Score: 5, Interesting

So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

This is a crappy situation.

--

Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
No good deed goes unpunished by YIAAL · 2001-08-18 05:52 · Score: 4, Interesting

This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.

--

InstaPundit! Ahead of the Curve Since 30 Minutes Ago
part of the problem is incompetent sysadmin by Skapare · 2001-08-18 05:56 · Score: 5, Interesting

My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

--
now we need to go OSS in diesel cars
Something similiar happened to me by Kiwi · 2001-08-18 05:57 · Score: 5, Interesting

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam

--
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Something similiar happened to me by Kiwi · 2001-08-18 05:59 · Score: 3, Interesting

(Sorry about the blank comment. The new Slashdot code is still really buggy)
A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam

--
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Re:Has common sense become less common? by Skapare · 2001-08-18 06:40 · Score: 4, Interesting

That analogy does not fit. A more correct one would be:

Hi. I came by to visit you at your house yesterday, and when I knocked on the door, it just swung wide open. Did you know you have left it ajar? I yelled to see if you were at home, but you weren't. You know someone might steal the computer you have set up right at the front of the living room there. Well, I closed the door for you. Since I don't have your key I couldn't lock it. You really should try better to keep your door closed and locked, but if not, at least move the computer to your back room so someone less honorable coming along won't walk off with it.

Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.

--
now we need to go OSS in diesel cars
The way we make laws is a security flaw by blair1q · 2001-08-18 06:44 · Score: 3, Interesting

Anyone with a bad idea and enough money can get any nonsense turned into a law.

--Blair
"Democracy is a wonderful thing. I wish we had some."
Re:Donations...( I *do* know him ) by CoreDump · 2001-08-18 07:18 · Score: 5, Interesting

Actually, I do know Brian on a personal level. I've known him for a few years. I work for a national ISP based in the Chicago area, and have collaborated with him on some projects in the past, so I know who he is, what his convictions are, and he's certainly not guilty of anything malicious in this case. I'm not posting as an AC, so feel free to check me out as well, if you are convinced this a conspriacy to dupe the Slashdot community.
If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.
I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).
If you don't believe in this case, donate to the EFF instead.

--
---
Segmentation Fault ( core dumped )
Parallel Senarios... by Pollux · 2001-08-18 07:21 · Score: 3, Interesting

Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."

Police: "Stay there for a while sir and watch things until we arive."

<I>15 Minutes later...</I>

Passer-by: "I'm glad you made it. I was getting tired and..."

Police: "You're under arrest for theft and breaking and entering."

Yea, that makes a lot of sense.
Re:wierd tactic - details of Title 18 Section 1039 by hillct · 2001-08-18 07:28 · Score: 3, Interesting

The previous poster (the AC) makes a vary good point. At what level should a computer be considered protected? IS a computer considered protected if there is simply the capability to set a password but none is set, or does there have to be an overt act by the administrator to attempt to protect a computer (like set a password, or read the manual or something).

Along the same lines, could weather or not a computer is protected be established by how difficult it was to gain access? Perhaps the computer could be said to be not ptotected because the guy didn't have to take any special measures to gain access (except click the 'edit' button in FrontPage. This is a legal question and not one I have the answer to.

--CTH

--

--Got Lists? | Top 95 Star Wars Line