Slashdot Mirror
Report Security Problems, Face The Consequences
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.
I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.
They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.
However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.
Stand Fast,
tjg.
So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?
This is a crappy situation.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.
The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.
now we need to go OSS in diesel cars
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.
I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).
If you don't believe in this case, donate to the EFF instead.
---
Segmentation Fault ( core dumped )