Report Security Problems, Face The Consequences

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

Not the whole story...

[szcx]

LinuxFreak:

The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

Oklahoman News:

Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

With that in mind, let's not canonize Brian West just yet.

I once did something like this...But won't again!

[tjgrant]

Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.

I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.

They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.

However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

What to do?

[yogensha]

So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

This is a crappy situation.

No good deed goes unpunished

[YIAAL]

This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.

part of the problem is incompetent sysadmin

[Skapare]

My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

Something similiar happened to me

[Kiwi]

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

Re:Has common sense become less common?

[Skapare]

That analogy does not fit. A more correct one would be:

Hi. I came by to visit you at your house yesterday, and when I knocked on the door, it just swung wide open. Did you know you have left it ajar? I yelled to see if you were at home, but you weren't. You know someone might steal the computer you have set up right at the front of the living room there. Well, I closed the door for you. Since I don't have your key I couldn't lock it. You really should try better to keep your door closed and locked, but if not, at least move the computer to your back room so someone less honorable coming along won't walk off with it.

Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.

Re:Donations...( I *do* know him )

[CoreDump]

Actually, I do know Brian on a personal level. I've known him for a few years. I work for a national ISP based in the Chicago area, and have collaborated with him on some projects in the past, so I know who he is, what his convictions are, and he's certainly not guilty of anything malicious in this case. I'm not posting as an AC, so feel free to check me out as well, if you are convinced this a conspriacy to dupe the Slashdot community.

If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.

I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).

If you don't believe in this case, donate to the EFF instead.