Slashdot Mirror
Report Security Problems, Face The Consequences
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
PHB: "Good work, Johnson! That'll show 'em!"
Naked Woman Seeks Sex at Airport
Got Rhinos?
I can't believe that this sort of thing is happening.
It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.
Behaviour like this from clueless law enforcement bodies who obviously don't know the difference is not going to help any one - it will deter people from helping one another out, because you don't know how the other sysadmin/business will react, and also that the law cannot tell that the party with the problem is overreacting.
What ever happened to the whole global village ethos - you scratch my back (i.e. tell me when I need help) and I'll scratch yours?
Now it's "Ahhh! A cracker!" to everything, good or bad.
whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?
This, from the only country that forces you to go through customs & Immigration even to handle a connecting flight.
From one of the few remaining countries with a death penalty.
From a country that still taxes it's people even if they reside in a foreign country (Only a few countries still do this; one being Libya)
God help us.
But seriously, this guy deserves a medal, not time in jail, or fines. If a worker at a car company knew of a serious fault in another companies car, and didn't come forward, he would be guilty of murder (assuming people died from the flaw). If this guy didn't come forward, he would be partially responsible for the damage caused by the security flaw.
I doubt this case will go that far, though.. I just wish the government would realize how fucking stupid they are being.
One of the things that lawyers will suggest to a whistle-blower like this is to have lunch in their lunch room, and talk loudly so as to get the information across
(strange, but true)
JoeLinux
It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.
...burn him!
The bottom line is, with all the FUD in the media nowadays (CR, Sircam, etc..), anyone who finds a flaw in some type of system is gonna get shafted, period.
The only thing I see as a possible remedy to this is for people to actually start using all those anonymous remailers that are floatin' around, otherwise, be prepared to get bent over for trying to be helpful. I can relate to this personally, the only good thing about it is that I only got fired, not arrested. But how much more BS are people going to take before they start to take a stand against this kind of crap?
Do Something About This!
The amusing thing is that under many statutes of the law, you're required to report something going wrong. For instance, if a friend tells you that he's going to kill his wife tomorrow, you can be found liable if you don't alert authorities. Now, apparently, you can also get arrested for TELLING authorities about the potential crime.
Unless, that is, the feds can tell us that they WOULDN'T have busted anyone exploiting the security hole that Brian West found.
The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the 'main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.
I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.
You're using her as bait, Master!
I don't know how, but I'm pretty sure that 'violating the DMCA' will eventually come up as the charge.
Talk to the techs.
Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?
Trolls throughout history:
Jonathan Swift
... i just love doing a good dead.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Actually, most countries won't kill you for criticizing them... contrary to what you might be taught in school.
I'm pretty sure that this has nothing to do with the Digital Millenium Copyright Act. In this case, the FBI seemed to be quite devious, not stupid. What does this have to do with Copyright violation? Nothing, since with the security whole it would be easier to deface intellectual property. Maybe you should consider spending some time away from Slashdot for a bit : ) Not every dumb government action is because of the DMCA, after all.
Two months ago, my firewall reported a scan from an IP...I was bored, so I checked it out and it looked like a home computer...on a hunch, I tried mapping to the \\www.xxx.yyy.zzz\c share with no password.
It was infected by a trojan that replicates off of unprotected C drive shares in Windows...I was looking at his C drive...and I thought about replacing everything on his desktop except for a note telling him he was infected with a trojan and his HD was open to the world.
Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.
"I've never been to Vegas, but I've gambled all my life" - Ryan Adams
----------
ah honey, we're all resplendent - Bill Mallonee
Give 'em a whiff of the grape! (or at least the "slashdot effect"!)
You're using her as bait, Master!
Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.
I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.
They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.
However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.
Stand Fast,
tjg.
So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?
This is a crappy situation.
Abstainer: a weak person who yields to the temptation of denying himself a pleasure.
--Ambrose Bierce
Given the apparent level of technical expertise of these idiots, and their repugnant behaviour, I suspect that they may soon become the "victim" of community (vigilante) justice.
I would have waited to see if some commenter came out with a link to more facts.
Happens every time.
What's this Submit thingy do?
...never be a good samaritan, because no one will appreciate your efforts.
Imagine this conversation in your street:
Guy 1: "Hey neighbour, you've left your front door wide open and I think the local hoods are eyeing over your TV and VCR system."
Guy 2: "What? You say you saw my front door open? How did that happen? I couldn't have left it open, not me. You opened it, right? I'm calling the cops buddy."
Only in America.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I'm going to explain this very, very, very simply. Say if whitehat A where to find a security hole in your companies computer, and would notice you. And you where to fix it. you thank him and (possibly) send him a small check.
Now... it appears that you would rather have the white hat see that your computer is vulnerable, not notice you because he doesn't want to go to jail. And start programming something else. Then, a few weeks later a script kiddie comes by, sees a vulnerable machine, grab all the passwords. and deface every computer on your network he could find.
Take your pick!!!!!
Sig you!
Outrage? Yes. Stupid? Yes. But considering the enviroment where any script kiddie can launch something like Code Red, is this really a suprise that someone overreacts and calls in the FBI?
Not that I think its right (I dont), but its not real suprising.
With all the news lately about high profile 'cybercrime', and the foundation of 9 new divisions to help combat it, the FBI is under a lot of pressure to provide results and visibility. In essence, they have to make a lot of arrests, valid or not, to warrent the increased budget they have been given. No arrests, no money. The agents on this case probably realize that he had good intent, but they needed to arrest him anyways, just to get their stats up. They also know that he most likely will get off, but well, thats not THEIR problem. They just arrested him, DA's are supposed to get convictions.
And if it costs this poor bastard thousands of dollars? Sorry bub, but they gotta keep their budget.
Is this right? You tell me.
FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?
I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.
Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.
You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.
It's sad indeed that in 2001 America, we've seen truth in the old adage "no good deed goes unpunished".
I suppose in today's legal climate, the only way to treat your neighbor is callousness, at least, and stay out of jail. Help your neighbor, get 1-5 years.
My suggestion to all those who are admins/coders/hackers/engineers, keep it to yourselves. I suppose we'll secure our systems, and let the government and the rest fall prey to script kiddies and our silence until they learn the Darwinian lesson of the consequences of their stupid 21st Century "digital age" laws.
=== The price of freedom is eternal vigilance
Stop messing with slashdot's servers, you hooligan!
Soma: because a gramme is better than a damn.
This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.
InstaPundit! Ahead of the Curve Since 30 Minutes Ago
[Better Off Dead]
"Go down hill, really fast. When you see a tree, swerve!"
...
[or, my favorite]
"He had his testicles all over me!"
[John Cusack] "Tentacles - 'nt'. Big difference."
Your right to not believe: Americans United for Separation of Church and
"yet the prosecutor claims that if he doesn't get convicted under Title 18 Section 1030 of the USC, then the prosecutor would try for wire fraud."
What? Huh? First off he the prosecutor goes for Title 18 Sect 1030 and doesn't get a conviction, he can't just go after him again for wire fraud instead. Double Jeapordy.
Also, I guess it doesn't say, but what about the cheif who recorded the convo over the phone. How legal is that in Oklahoma? Anyone? I know in some states its 100% illegal and in others there are loops to jump through.
The ultimate network admin tool needs HELP!
The story went into no details on what he did besides click 'edit' to compromise the site? It didn't actually state what he was formally charged with other than mentioning 'wire fraud' which could have a wide varying set of meanings. As part of being in this community I think it's up to us to dig and find more information before making rash decisions. After all, aren't we criticizing the FBI for their, apparent, rash decisions?
Uh-oh, -- the site is Slashdotted already!:
Warning: MySQL Connection Failed: Can't create UNIX socket (55) in home/gh0ul/public_html/include/connect.inc on line
6
We are having problems with our database, please come back at a later time.
My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.
The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.
now we need to go OSS in diesel cars
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
The way these things work is that the usedid he picked at random was probably the userid of a secret mistress of one of the top FBI agents.
I was once a witness to a purse snatching where the victim happened to be the wife of the first cop who showed up. In the middle of something like that you sometimes doubt whether your mind is functioning normally. The cop car rolls up, the cop jumps out and immediately proceeds to give the victim a three minute hug. Hey, these guys are more compassionate than I thought.
The activity that followed couldn't have been outdone if the War Measures Act had just been invoked. The guy who snatched the purse is probably doing concurrent life sentences by now.
A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Y'know the worst thing that might happen?
/. reader and use that as evidence in the FBI case..
They get cracked by some l33t
What's this Submit thingy do?
This version may be the truth, but this sounds like a pro-West report.
Is what's mentioned everything that West did ?
Gyan
Our government is clearly out of control with regard to incidents like this. This case sounds like it deserves nationwide protests just as much as the Sklyarov case.
Use the DMCA, kill Frontpage :-)
Everybody sing D - M - C - A (+ handwaiving)
Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.
Don't post innacurate information
If you do, I swear by my pretty floral bonnet I will end you.
If the Government and various Companies want "Security through Obscurity", I say we give it too them. Will it solve thier problems ? No it won't, it will make thier problems worse. However, it will solve several other problems, this article being a perfect example of a problem which could have been avoided. If he didn't report the security problem, he would have never been arrested. If System Administraters and the FBI want to bury thier heads in the sand, then far be it for us to try to change them. I am sure there are a great many Crackers who would love to go back to the wild days of the 80's when every computer system with a connection was owned and information about cracks were circulated through underground BBS's.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
Mr. Wally Burchett has some serious issues, and
/. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.
the Poteau Daily News has something coming to them if they think they can get away with this.
Everyone should start writing letters, call the editor, etc. From their Web site:
Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953
Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.
Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax
Email:
pdns@pdns.com
publisher@pdns.com
If you write letters, direct them to Mr. Wally Burchett.
As with all the causes we at
For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.
Ok, so you're saying there's a fixed number of "alive"s before "dead."
My only question is: How can I lenghten the polling on that status check?
-- @rjamestaylor on Ello
Ten firemen of the Oklahoma city were arrested early this morning for trespassing.
The squad alleged they broke into a house because it was burning, and they received an emergency call that said there were people trapped inside it.
Instead of innocent trapped civilians, they unknowingly tried to rescue undecovered FBI agents.
The firemen broke the main door and entered into the burning house, when they were immediatelly charged for vandalism, trespassing and attempted burglary.
They alleged they were trying to save lifes, but this is no excuse to FBI agent Smith, that said:
"What we are facing here is a very serious crime. The entered the house without written permission from its owner. They work doesn't matter. Or do you think a teller can enter a bank's safe and get money without permission ?"
If the firemen don't get convicted, then the prosecutor woult try for arson.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
While this individual seems to have done a "good deed" in communicating a security flaw and this pursuit by the feds is excessive, the issue should at least get a fair treatment from both ends. Just imagine the following coversation:
Concerned Citizen: "Mr. Smith, I'm calling because I noticed that your bedroom blinds are partially open and I can see your wife walking around in the nude. I thought I'd bring this to your attention so you can remedy the situation before more malicious sorts exploit the breach in your window dressings."
Smith:"Are you sure about this?"
Concerned Citizen: "Yes sir. Just to be sure, I pulled out my binoculars. I can tell you that your wife has a pierced left nipple and a tattoo of Bugs Bunny on her right butt cheek. Oh, and I'm sorry about your lack of gift. They say that size really doesn't matter anyway..."
Smith: You bastard!!
A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.
The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.
-Nuke the moon
Since I don't have the cash to contribute right now, I did send an email to the address given at the end of the article. Here is what I wrote:
. html
9 &mode=thread
Hello,
I just read about a case involving Brian K. West. The URL is:
http://www.linuxfreak.org/post.php/08/17/2001/134
From everything that I have read, this person did absoultely nothing
wrong. I fail to understand why he is being persecuted for simply
notifying somebody of a *VERY SERIOUS* security hole on a service they
offer to the entire world.
Please consider throwing this case out. Mr. West has undoubtedly
already lost much time, money, and reputation due to this injustice.
Had he done the same thing for me, I would have immediately sent him a
message of thanks and IMMEDIATELY secured the site. Aparently, weeks
after the initial warning that Mr. West was so kind to give the poteau
daily news website administrator, this hole (really a misconfiguration
on the administrator's part) still was not closed.
Allowing frontpage publishing to the entire world is a serious
potential vulnerability. Doing the same with no authentication
mechanism is just plain stupid, especially for a news site whose
integrity is at stake.
If you would like to see other people's views on this incident, please
visit:
http://slashdot.org/article.pl?sid=01/08/18/17025
-- greg, webmaster@no.slashdotting.desired
--
Greg Spath
gspath@no.slashotting.desired
http://no.slashdotting.desired
After reading that article i am appaled. Why does noone stand up to the FBI? Why did he not tell them to take a hike when they didn't present a search warrant? There are certain pieces of paper that our founding fathers created so power hungry men like this couldn't have thier way with people. They are called
THE BILL OF RIGHTS and THE CONSTITUTION
Will we have to fear the G MEN from now on?
This sort of thing happens to alot of Gun Owners except it is the ATF doing it. They are just on a witch hunt.
It's not the OS it's the user that sucks. If it's user friendly, you get stupider people. - clinko
For all of those tempted to donate money, make sure you check out the story first!
"No, Officer, I didn't want to steal that car, I was just going to notify the owner of the insecurity."
This is the worst anology ever. This is more like someone parking his car out front and yelling "Come look at my car! Come look at my car!" And When someone looks in the window and says the door is unlocked and keys are in the ingition calling the cops to have them arrested.
The part you seem to be missing is that it was an explicitly public access site and he inadvertantly found a hole. He wasn't look for one, he just found one. Would you be arrested for robbery if you saw a $20 bill laying on the sidewalk?
This is nothing new. The FBI has been screwing up stuff like this for the past couple of years in many different areas. Remember Richard Jewell? Same situation as this, just without technology involved. The problems with the FBI don't stem from ignorance of technology.
$45 per U Colocation Special
Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?
I had to go through C&I to get to my connecting flight at Schiphol (sp?) at Amsterdam. Very annoying (since my incoming flight was so late that I had 5 min to connect. blech.)
Gathering the information from the reports is a tough nut to crack. If all Brian did was open the page using the EDIT command then I don't know why it would show hundreds of accesses.
On the other hand, if he opened the site in Front Page -- which is a natual extension to see how far the site was compromised -- the log files would show hundreds of access if he went to all the pages especially if the Front Page bots were being used.
Either way it is sort of humorous that a paper would leave the ability to edit the pages open. I didn't see any comments that said otherwise. It looks like someone didn't enable the basic user/password challenge for accessing Front Page in administrator mode.
Something a bit similar happened to me a few months back. I discovered a big security hole in my webspace provider's server, which allowed me (or anyone else who knew about the hole) to read all of ohter user's e-mail and access all the pages, which included seeing passwords for MySQL database written inside .PHP files.
I notified the sysadmin about the hole and all I got back was "we are really busy and we don't have time for such details right now. we'll look into it at some point". Well, almost 8 months later the hole is still there. And the best of all - they are giving away free 1-month trials to anyone who wants one. You don't even have to provide your real name, because they never check it!!
Some really never learn...
Actually, the FBI agents weren't trapped inside, they were just debating who would go to jail after one agent pointed out that another's fly was open. Was the person with the lazy zipper a sex offender, or was the person who pointed it out a peeping tom? By the time the firemen got there, the agents had all handcuffed each other to each other. Local police commented that this was obviously some arsonistic sex cult, and that the FBI agents' names should be listed on a public bulletin board. The NSA pointed out that this would unnecesarrily expose the agents, so the cops were arrested. The DoJ brought the case before the Supreme Court and thus was the entire american 'justice' system brought to a halt.
The firemen, having no one left accusing or prosecuting them, returned to life as usual, and the nation breathed a sigh of relief as good samaritanism was, if not legal, at least accepted again as there was no one to prosecute the cases left.
Returned Peace Corps IT Volunteer
Hrm. I think we need updated/slightly modified good samaritan laws to cover this sort of thing. This is even worse than situations GS laws were meant to cover. Currents are if you cause damage accidentally trying to help. He didn't even do that. It's like rescuing a man from drowning and having him sue you for doing so. To quote John Stossel: Give me a break.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.
So, going back to the house analogy, he is guilty of going inside and looking around.
The details of the affidavit are from Brian West's own web site, http://www.bkw.org
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
I was talking to a friend who still worked at a place where I had been previously employed(Both of us in IT), when he mentioned that they had moved their web services to a 'professional' hosting company. I had been playing around with SAINT, and during the conversation, (I forget who mentioned it) we decided to scan the machine hosting their site. The scan showed anon FTP with write access. I logged in (anonymous) and noticed that I had write access to the entire site, including all the scripts that dealt with the credit card numbers. After checking to see that the write access was real (I created a file in the root directory, containing my name and phone number, and an explanation of what I was doing) I told my friend to have that company called up and have the problem fixed immediatly. Later that day, I got a phone call from the 'professional' company that was hosting them, slightly upset at my actions, but just happy that I *was* benign. They could have done the same to me as has been done to Brian West, but instead they fixed their problem, and let me live.
Nathan Brazil?
"When Mr. Burchett called back, he recorded the call and asked for details on the server problem. In the course of explaining the problem, West let Mr. Burchett know that other companies, including West's own bank, had experienced similar problems configuring server software. Following their phone conversation, Mr. Burchett gave the tape to the Poteau Police Department. That's when the FBI got involved."
Isn't taping a phone call without both party's knowledge/consent illegal? Wasn't Linda Tripp charged for that?
There is a link in the story to make donations, and I would if I could, but if he wins I hope he can sue them to get his money back and more... The person who got him in trouble should be the one who is punished, not him.
They that quote Benjamin Franklin on liberty and safety deserve neither.
Anyone with a bad idea and enough money can get any nonsense turned into a law.
--Blair
"Democracy is a wonderful thing. I wish we had some."
It never ceases to amaze me how absurd these people can be. This type of action reminds me of a time when a family member (a lawyer) came to me to find out if there were any way to sue someone under libel law for posting to a newsgroup much like slashdot.
Simple actions, obvious freedoms, and inane people in places of power trying to remove them...
Will it ever stop?
It can, (and probably will, if the DMCA isn't killed) occur, just as you implied.
But consider a simaler case. Remember when there was a huge expose on Food Lion, with packaged meats being re-dated? That didn't last long in the media, because the reporter (who went undercover) violated Food Lion's Non-disclosure agreement.
In this case, the DMCA is just like a NDA, and even applies. We signed the agreement by voting for the senators and representatives we did.
Fortunately, NDAs can be declared invalid, depending on various laws. So can the DMCA, by the Constitution.
I will be one of the many disappointed people if the DMCA isn't declared unconstitutional.
What's this Submit thingy do?
Report Security Problems, Face The Consequences
Posted by timothy on Saturday August 18, @12:09PM
This is similar to Adobe's case with Dimitri. Tell a company of a flaw in their product/system, the consider you a malicious person.
The U.S. Government seems to support the idea of allowing unsecure products and telling people not to exploit them. I guess their being against encryption falls into the same place.
One item not mentioned in the article is the details of Title 18 Section 1030 which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.
The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.
--CTH
--Got Lists? | Top 95 Star Wars Line
Anyone heard of Randal Schwartz? He's been fighting something like this for years.
What you did is highly illegal. There is no backing out of it by saying, "I was just testing a theory."
What will end up happening is you are going to found out one day, if it is a smaller city that performs yearly audits and then you will find a FEDERAL WARRANT out for your arrest. This is because you performed a FEDERALLY PUNISHABLE CRIME. The only thing you can hope to get is a light sentence if you bring yourself down to the courthouse and get in touch with the right people.
You might get real lucky and have a slap on the wrist. However, the longer you wait the more likely you will go down in flames.
What you did sucks and I have no sympathy for you.
--
.sig seperator
--
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
You try doing chemistry as a hobby at home today you will find yourself in jail. Even if you never make any drugs or bombs, it will be assumed that you are making drugs and bombs. The possession of any chemicals which could conceivably be used for making drugs or explosives will be taken as evidence that you are making drugs and explosives - even if you aren't. Even if you have careful notebooks which explain what you're doing, it won't help you. People have been sent to prison for possession of three-necked flasks and triple-beam scales!
Computer security has, I think, gone the way of chemistry. Don't do it at home! I am by nature a paranoid person - perhaps this is to compensate for my lack of ability to "read" people and take hints - it would never occur to me to do any white-hatting and give my real name. I would have notified the newspaper jerks by email from an anonymous terminal or by disposable calling card from a payphone. The boy in this case should have told his boss at his company, and let his company decide whether to call or not. Instead, he goes off and gives the impression that he goes around finding holes in systems, on his own, all the time! If security is your hobby, go and get a job at an actual security company and do it full time. Or don't do it at all.
In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read
ENTER HERE -->
TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?
So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.
We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.
Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.
Many of us have pointed out problems with web sites but few of us have been keelhauled for it. This is a chilling development to think that FBI agents are so eager to be promoted for appearing to be cyber-savvy with such grandstanding symbolic arrest-like-gestures and ISP managers trying to cover their incompetent butts by crucifying a well intentioned guy like this.
Moral: Stop reporting security holes!
Wansu, th' chinese sailor
If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.
I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).
If you don't believe in this case, donate to the EFF instead.
---
Segmentation Fault ( core dumped )
By this definition, all computers connected to the Internet are "Protected" under US law. So what they are charging Brian with is accessing this "protected" computer and downloading a Perl script to which the company assigns a value of $5,000.
The fact that the computer was unsecured does not play in the matter. If the Perl script had been on a public FTP server, they could still charge him with "obtaining anything of value" from a "protected computer".
Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."
Police: "Stay there for a while sir and watch things until we arive."
<I>15 Minutes later...</I>
Passer-by: "I'm glad you made it. I was getting tired and..."
Police: "You're under arrest for theft and breaking and entering."
Yea, that makes a lot of sense.
...will no longer look out for his neighbors.
To put it bluntly, I had to deal with the local Police Department, yesterday, because someone had broken into a neighbor of mine's apartment. After reading this article, I'll stay uninvolved from now on.
Thank you, FBI, for making my life simpler.
First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.
If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.
Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.
All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.
How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.
This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.
As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?
-Restil
Play with my webcams and lights here
Many years ago, I was told by a San Diego Police Detective that they are "not interested in the truth, only in good busts." The failure to understand this mindset leads to the kind of situation discussed here.
Prosecutors, police and bureaucrats (obviously, with a few exceptions) do not have your best interests in mind. Like most people, their own interests come first. These might include career, family, power, prestige or (fill in the blank). It really doesn't matter what their motivations are, just know that your interests are not considered or are at the bottom of the list. Expecting more is naive and dangerous.
This does not mean that they do not frequently do good and important work, it just means that their interests do not necessarily coincide with yours.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
Think about it this way: Suppose you embark from Podunk, Idaho on your way to Frankfurt, with a connection in LaGuardia (New York City) each way. (Assume that Podunk Regional Airport has no customs and immigration facilities, but it wouldn't matter if it did.) On your way back, you'll go through customs and immigration in New York, because after New York, it's all domestic flights.
It works the same way going abroad.
--
We have fought the AC's, and they have won.
Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.
Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.
Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.
Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.
The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.
So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.
Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.
I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.
I find it so ironic that geeks and programmers (myself included) are so one-dimensional about life. On the one hand, we spend enormous amounts of time and resources securing machines from outside intrusion, and ridicule those who don't (e.g., Microsoft).
On the other hand, our entire lives are an open book to any law enforcement agency, businessperson or non-tech professional because we just don't know enough about how life works.
Here's a clue: don't let an angry guy you don't know record you on the phone! Federal laws are very strict about the legality of recording telephone conversations. If both parties do not agree to the recording, the person doing the recording is commiting a crime.
Maybe if we secured our own lives as well as we did our servers these problems wouldn't happen to us. Why do we blame the sysadmin if someone breaks his insecure box yet blame the government if they break into his insecure life?
Have fun: Join D.N.A. (National Dyslexics Association)
You realize time or no time,
a felony conviction can rip you
a new career asshole on a semiregular
basis for the rest of your life.
I just wanted to drop you a line to let you know how much I appreciate your efforts in the Brian K West fiasco
It is good to know that if I, or someone else, misconfigures my software that I will not be likely to hear about it from a well-meaning person because of their fear of prosecution. Instead, I will hear about it when it is too late and a truly maliciuos person exploits my vulnerability.
Where would the world be without people like you?
If you ask me, the FBI agents and any other law enforcement agents involved with this situation are the ones who belong in jail.
Cheers.
[signed with real name]
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Whether or not state lines were crossed is immaterial. The mere possibility that the computer could be accessed from another state is enough to trigger the statute. Even if the activity originated and terminated completely inside one state's boundary, the federal statute still applies.
Yes, I know this fact. When I said "everyone's a winner" I was using a special form of expression you should acquaint yourself with.
Let me set this up. I'm not a lawyer, but I was charged with, took a plea deal for, and served time for a violation of 1030(a)(5).
He is expected to be charged with a violation of Title 18, Section 1030. If we have all the facts, the closest charge would be under one of the subsections of 1030(a)(5):
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
It's not enough to merely access a "protected" computer. He has to have either intentionally caused damage or been "reckless" and unintentionally caused damage. He also has to have caused $5,000 or more in damage, which can include the time taken to detect and clean up after the intruder.
Now if he did not change any of their existing files, only created a new file to see if they were vulnerable, and notified them himself, there is certainly some doubt that he caused more than $5,000 in damage.
The government also has the burden of proving his criminal intent. This is exactly what will cause the judge to throw out the case, if it ever gets there. From the article, it appears clear that his intent was not to cause damage. If he can support that claim, he'll win. Heck, he should consider filing a suit of his own.
This case is almost certainly the result of an overly enthusiastic FBI Special Agent and/or Assistant U.S. Attorney. They are under pressure to build their expertise prosecuting computer crime cases and they are very actively seeking cases to try. They could very well proceed with this case just to gain the experience.
A couple of years ago I found some strange charges on my credit card bill. Someone used my card to download commercial software. I did my own investigation and found that: /etc/passwd using browser and my dial-in password. I could find who worked for the company (they used ksh, others pppksh)
- when I recently subscribed online to an ISP, all the data was sent to one of the employees. That employee was probably responsible for billing.
- I could read
- I could read ALL MAIL BOXES using browser and my dial-in password. That included mail box of that employee. I found credit card numbers of 4 other people there.
- I could CHANGE ALL MAIL BOXES with ftp.
I also found what account was used to read e-mail with my credit card number.
I sent an email to the boss (I found who the boss was by looking in the employees' emails) and there was no reply. Then I edited the mail box of the billing employee ("I am interrupting your reading to inform you about such and such problems...").
Only then they fixed it. Oh, and I talked to the sysadmin, and he did not know what is sticky bit.
Now: should I rot in jail?
Yes...<scribble>....uh-huh....<scribble scribble>... go on... So you did what? Opened one of their files, which you understood to be something they did not want you to see? Interesting.....<scribble scribble scribble scribble scribble scribble *SNAP*...>Crap! Say, you don't have a pencil I can borrow do you? One of these days I'll get a computer to take notes on.
Also, would you tell us your address and save us the trouble of looking it up? We would like to uh, discuss your *discovery* further.
Special Agent Jones
Federal Bureau of Instigations...
Now that the commies are out of the picture, A new villain is needed. The Chinese are maturing nicely, but won't be ready for some time. Child molesters and kiddie porn perveyors have filled the gap, but people are getting bored, and most of them are in prison by now anyway.
I know, let's get the geeks. Nobody knows what they do, and they look funny. Besides, they are responsible for the dangerous notion that democracy is more than dutifully not voting in elections.
If i see a site at blah.com with a problem, then I'm going to contact the admin@blah.com If I see merchant X is running a site with problems, I'm going to try to contact merchant X.
So let me get you strait... you think he should go to jail because he notified the wrong person first? Are you serious or just trolling? He found a contact address and told them.
I honestly can't believe you think he should go to jail for not finding the exact right guy to report this to. "What? You told the sergant about it! Only the captian handles these vandalism reports. Put you hands behind your head. This is a serious offense."
*blink*
Tell me you're kidding.
From the article: "They also refused to promptly provide a copy of the Search Warrant when one was repeatedly requested."
:-)
That, boys and girls, is a violation of a defendant's rights. A big one. We don't need to worry too much about this case, I think - a competant lawyer will get it thrown out on those grounds alone. I'm just surpises at the FBI stupidity. Wait a sec...no I'm not.
I'm the stranger...posting to
Normally I donate to "legal defense funds" (such as Skylarov) but this appeal has me a little suspicious. Particularly the appeal for $10,000 in lawyer fees and the convenient PayPal account. Other defendants have needed a support group or the EFF to set this up for them, but Brian has his ready to go.
I don't want to slam Brian if he's really facing unfair procecution, but I also would like to see some outside verification of his story from a reliable news source (like the EFF or the ACLU).
Otherwise, it's quite possible that Brian is in fact a cracker and is playing on the sympathies of the Slashdot crowd to raise a little bail money. Remember, the FBI does sometimes arrest real criminals!
Please CC: your reply to me, since this item already has hundreds of comments and I'm not sure I'll find it.
-Josh
At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked
I can just picture this situation, these FBI agents were probably sitting there thinking "wow, this hacker dude is hacking into the site right in front of us, we've really got him now. This is too easy!".
Seriously, if an organization such as the FBI doesn't even have the know-how to tell the difference between "hacking malicously" and "letting a company know they have a security problem", then their authority should be taken away from them - unless they can prove they actually know what they are doing - otherwise, we have a serious problem. You can't give someone so much authority and power to investigate crime when they know little to nothing about what they are supposed to be investigating. Thats scary.
I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.
Maybe we DID take the blue pill. You wouldn't remember anyway.
Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.
Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.
They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.
They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.
If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.
There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.
So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".
As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"
He recommended that I call the Detective and state:
"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".
Total cost for a real attorney : $0.00
I was never arrested, charged or contacted again!
Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
I've had friend fired from high paying jobs for doing the same thing inside of the company that they were working for at the time. You just don't point these things out by yourself.
Yeah, it's fucked but that's how they think and work.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Now if we can just get all the crackers of the world to start phoning the System Administrators of the systems they crack, we'd be all set!
--It's Pimptastic!--
The DOJ prosecutor's letter to Mr. West was quite revealing.
"Also the government would be willing to resolve this matter at this juncture if you agreed to plead guilty to one violation of Title 18, United States Code, Section 1030. As part of the agreement the government would stipulate that your sentence should be probation. Please let me know, in writing, as soon as possible, whether or not you wish to resolve this matter pursuant to plea agreement."
To let him off with probation, no fine or jail time whatsoever, is DA-speak for "We've got an incredibly weak case that might not clear the grand jury."
This is the way most cops and prosecutors act, whether it's a traffic ticket (in my case), or a so-called hacking case.
Everyone's guilty of something in their minds. In my case, I was profiled, stopped because of the way I looked. I sat in my car for thirty minutes while they ran me through just about every database on the planet, looking for something on me. I'm a nice guy, there's nothing on me. Then they tried to stick me with running a red light. I complained so much about that, the cop on the scene decided to do me a favor and gave me a less serious ticket, one for ignoring a traffic signal. The cop wasn't doing me a favor, she was covering her ass. I decided to fight it. In court, the prosecutor called me outside and tried to cut a deal with me. If I pleaded guilty, they'd waive the court costs, saving me about a hundred dollars. I said no. When my case was called up, they declined to prosecute. The case was dismissed. I wasn't guilty, they knew I wasn't guilty, and they still tried to stick me with the ticket.
This is a tiny, tiny incident compared to Mr. West's, and I only tell it as an example of prosecutorial behavior. Sheldon J. Sperling's office is trying to get out from under a bad case. Mr. West should expect more pressure to plead out in the days before the grand jury convenes.
Should Mr. West testify at the grand jury hearing? If it were me, I'd do it. Here's why.
The offer of a plea in Sheldon J. Sperling's letter is a standard tactic of prosecutors with a weak case. It might seem like a quick-fix now, since there's no jail time and no penalty, but such a conviction might damage his employment opportunities in the future.
He should look around for a cheaper lawyer, they do exist. But if he can't find one, the $10,000 is a good investment in the future. Only if he's feeling very, very brave and confident should he go without the lawyer.
If the facts are as he stated, there's a good likelihood that the grand jury won't hand down an indictment. This is sometimes hard to tell, since a few grand juries are led by the nose, while others are independent of the prosecutor. In an ordinary case, the defendant's appearance might hurt the chances of its dismissal. The prosecutor might use the opportunity to put on a show, browbeating him into looking guilty. On the other hand, this is about a technical subject. Mr. West has the advantage over the prosecutor. If he thinks he can easily and simply explain the technology and his actions without getting rattled by the prosecutor, he should go. I would.
Mr. West, if he thinks he's able, can derail this process at the start, avoiding thousands of dollars in legal fees and a year or two of worry. Me, I'd go for it.
For anyone interested in reading the law under which the prosecutor is planning to charge this guy, it is here
If the details of the story are correct, there's no way the DOJ can win this case, as all of the provisions under the law have to with intent to defraud or demonstrable harm having occurred. But, as others have pointed out, the details are little sketchy.
It's just NOT the same thing.
Should I modify your computer? Heck no.... I shoudln't, you are absolutely correct about that.
However, simply trying to connect to \\blahblah\c and having it work is hardly 'breaking in'.
No, I woudln't break into someone's house just for fun. But, let's say I was walking down the street, and I saw a shopkeeper locking up for hte night, but noticed he didn't shut the door. I'm going to be a GOOD citizen, walk over, see if it's just my imagination, or if the door is actually open, and if it IS open, I'm going to go TELL hima bout it. I don't expect to be prosecuted for breaking and entering or trespassing; I expect to be told 'thank you'.
I think that Brian never read slashdot, otherwise he would have learned from previous articles that he shouldn't do something like that.
Be nice and you'll go to Jail for free, I mean what more can you ask for?
Then to avoid prosecution or commute his sentence they will have a forced participant in their system when some big problem that they can't solve pops up. Book 'em, then use them, then throw their life away. It happens on the Sopranos, and in real life only differently. Once they have you as someone that has done something wrong, even in the slightest, you're screwed.
Turning in your friends is a common, everyday, police tactic that is used constantly in all departments.
OK take this as a lesson, next time you find a security hole, to hell with being a nice person and alerting the victims. Just do as much damage as you can and take anything you can. I mean, if you're gonna get caught anyway, why not at least have a good reason to get caught.
Sadly, it looks like a good policy to follow these days is to NOT help people until they come begging for your help, and then, charge them handsomely for it.
Strangely, though, unklike most other countries, you can have a choice on your occupation, and you have decent property laws, and you can carry a weapon for self-defense if you want to, and you can move out if you're a pinko that has no idea how good the USA really is.
Obviously, the more the government wants to crack down on "hackers" the more protections people who spot security holes and such need. This reminds me of First Aid protection people get, in an emergency you can apply first aid and you cannot be sued for screwing it up.
It would be nice if someone wrote up a bill giving those who report flaws the same protections.
So the lesson we learned here is to send security warnings like that through anonymous E-mail.
This guy didn't violate any norms of society, although some people think that hey may have violated some laws. Norms are things that most people believe (ie kiddy porn is bad, don't steal, go to highschool, etc.), and laws are specific documents listing actions that you must or must not do according to the government.
He most certanly didn't violate any norms.
ReadThe ReflectionEngine, a cyberpunk style n
No, you wouldnt. But I could see the owner of the car possibly having you charged you with attempted theft, or illegal entry.
Liberty in your lifetime
It's things like this, the DMCA and other such horse shit that make me hate living in the US.
I'm really starting to think about moving somewhere else. Can anyone name some places where such nonsence isnt happening? English speaking, 1st world countries prefered.
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
From a NY Times article, http://www.nytimes.com/2001/08/19/technology/19WIR E.html, about a man who inadvertantly 'cracked' a hospital 's wireless network:
On the other hand, he also knew that with "sniffer" software that he uses to analyze computer networks, he could monitor every message and file passing through the hospital's wireless system, presumably including sensitive patient data entered by nurses via the wireless-equipped laptops they carried from room to room.
"Fortunately, I'm married to a lawyer, who advised me against looking," he said.
I think the moral here, is not, as some cynics have suggested, "If you find a security hole, don't report it", but "If you find a security, don't 'test' it".
Here in Australia the reputation of the U.S. FBI is formed solely through movies and television. So you can understand how someone like myself (who lives in Queensland, Australia) has the impression that the FBI like to barge into places and get convictions.
..."
This story has made me think "maybe the FBI are all crazy
"Oh, you think your innocent of the charges? Well, that can be decided in court... welcome to the concept of innocent until proven guilty".
I'm sure that the federal officers involved in this situation were thinking "if this guy didn't really hack, but honestly found this misconfiguration by mistake, his attorney will argue it in court and he'll walk".
FAIR ENOUGH? Simply inditing someone doesn't mean their definately going to jail, but they get inconvienced to the max. $10K to prove you're innocent? More than a year of your life filled with stress, wondering if you are going to spend a few more years under probation or even jail?
I'm sorry, but that is crap. Just because these feds didn't know jack about the situation (I can only conclude that the didn't fully understand the situation as anyone that does understand the problem wouldn't want this guy prosectuted) this good samaritan goes down.
And no, I am not anti-American. Federal law enforcement in Australia isn't too far behind. Prosecution hungry feds like to run amuck here too.
"Yeah Tommy, before Zee Germans get here
Seems that "entrapment" can pass for "due process" nowadays. Our rights were fun while they lasted.
"You spoony bard!" -Tellah
Mea culpa. Me go get coffee now.
Every day I grow more disgusted.
pr0n - keeping monitor glass spotless since 1981.
I believe you're thinking of Randal Schwartz, not Tom Christiansen. And given that Tom hasn't yet blasted you, I'll have to assume that Tom hasn't read this.
It's definitly more of one than the article below it..
Why won't slashdot let me change my terrible username
Several months ago this (or an exact situation like it) was an "ask slashdot" entry and many slashdotters said NOT to notify the company nor the competitor.
If I recall correctly the situation was that you lost a contract to a competitor, the competitor did a marginal job, and left the site open. It appeared to most slashdotters that your pursuing this was sour grapes in an attempt to win back the client and make your competitor look bad.
Telling the client was like telling a mother that her baby is ugly. In essense he made an ugly choice.
Over and over the advise was not to even go to the site and definitely not to notify anyone because of this very thing.
Oh what the ego can do to us. A site lost to competition is a poison site.
Even an innocent visit to a poison site may not be defendable if the site is cracked later and your addresses are found in their logs.
Life is about choice. You chose a most difficult board postion and I wish you well in the end-game.
Sanat
And in the end, the love you take is equal to the love you make
Reminds me of what Germany was like back in '33
now we need to go OSS in diesel cars
slashdot needs killfiles.
Who exactly is this Mike Scott guy? Limkage, plese.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
>> I agree. Though there is probably some amount of overreacting on the government's side, trespassing physically or digitally typically is illegal, regardless of intent. <<
I remember a quote once from a fed spokesperson saying that the gov does not have enuf resources to go after much except the largest of crimes.
If this is the "largest of crimes" on their to-do list, then the world must be a pretty safe place.
Table-ized A.I.
Ha, this person has never been charged, so he has never gone to court -- let alone had a "not guilty" verdict.
It's pretty hard to have any jeopardy of any kind until those three things happen -- charged, court, not guilty.
The prosecutor is standing in front of a mic, and talking out of his cake hole.
The prosecutor knows two things :
One, computer crime gets in the news. That means he gets his picture in the paper -- great for that DA job he'd like to settle into after a few more years. Bragging rights for his offspring, if nothing else.
Two, they have a weak case, and anything they can do to get the kid to cop a plea lets them mark it down in the books as "solved". Every "solved" case increases funding and gets him a better shot at juicy DA position.
This is all so predictable. Please see my other posts about when to cooperate with law enforcement, and when to stop and shut your mouth!
Quick recap :
1) In America, we have free speech. The police, the detectives, yourself. There are things any of you can say, within bounds, at different points in the process. Without charges, the police can play pretty fast and loose with their statements.
2) One you have been read your rights NEVER speak to anyone about the case without your attorney present!
3) Once charged, you have a right to have an attorney present during questioning, representing you. If you cannot afford one, one will be provided. It's the law.
Help the police, they catch the bad guys. But once they start looking at you, shut up and stay cool -- you are up against trained pros.
Remember, when a lawyer gets charged with a crime, they shut up and get a lawyer! When a police officer gets charged with a crime, same thing! That should tell you volumes about how the system works.
My gut feeling? Our boy here is not being totally honest about his activities. He has an attorney, but he has not been charged. I wonder why? He could be sniffing at a defamation lawsuit, his attorney may be asking questions, requesting records. The FBI, newspaper, and DAs office might be mounting a counterstrike to scare them off.
The more I think about it, I keep wondering : why has this guy hired an attorney, when he hasn't been charged with a crime?
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Mixmaster anonymous remailer network (sigh). It's a shame that you can do right in the United States only by remaining anonymous.
Send mail here if you want to reach me.
Send mail here if you want to reach me.
Anyone with a copy of frontpage and a large set of balls attempt to do what West did to the paper's site? I think that it's completely possible that the daft sysadmin at his competition still haven't fixed the hole...
Everything would be for purely informational purposes, of course...;)
====
"white bread, redneck, chicken-shit, motherfucker" -- Dr. Dre on "Straight Outta Compton"
With news organizations like CNN slashing staff, the remaining staff may be too overworked & disgruntled to maintain security. Laid-off staff may have passwords and know the system inside and out. Those who control the media are tight with money, and info security is not a profit center like advertising sales. But on a news web site, leaving it unprotected means anyone can create their own headlines!
Local:
"Mishap at Water Treatment Plant poisons city water supply, tap water now flammable, shut off all water valves!"
Election '01:
* Candidiate for Mayor Observed Molesting Boy Scouts
* Police Chief says "No more black crime", ordered 100 ropes, having them attached to lampposts by Dept of Public Works.
Business:
"New Company Releases New Product, Stock Prices Shooting Up, Wall Street Analysts say 'Buy Now'"
Or just randomly deface the pages:
"All Your Base Are Belong To Us!"
"LIMP BISKIT F&*&IN RULES!!!!!!!"
Or actual stories may be modified in ways not apparent. A city council meeting is reported "cancelled" and less people show up.
People running for public office occasionally overstep the bounds of the law. Possible this would include modifying a news website just prior to election? Possible an elected offical would know how to contact someone with the skills to do so and pay them to do it anonymously and untraceably?
When reading the news on a web site, can no longer assume it was not modified without the news organizations knowledge. In fact a news URL may be as bogus as a chain letter. When a security breach is publicized some readers may lose faith in that website and try the competition's web site.
Do newspapers firewall their web servers from the machines the stories are composed on? If not it is possible the content of the PRINT edition could be messed with. And whatever is printed in the paper it must be true.
This seems to be a case of the God complex. I have known people who, when their mistakes are brought to there attention by someone, think that the person is targeting them and, thus, they must be brought down. I am guessing this is the type of guy he was dealing with when he mentioned the security flaw.
:)
Seems like a better why of bringing up the security problem is to post it all over IRC and have other people post porn on the website. They'll understand the security flaw and look stupid, just like they should.
The way the article is written tends me to see it as a genuine story because it is a mirror image of hundreds of such similar stories.
The article shows something very familiar that can be seen among many enforcement and security services around the world. No it is not computer "ignorance". It is using your badge and position to show how important you are and to get some extra premium for "excellent service". You live in some peripherial corner of some megapolis or in some lost land of techocivilization. And you get a case near the edge of the law. So a little bit of grease and things slip to the place where you become sound and famous. And maybe you get a chance to quit this greasy and smoky neighborhood and get a seat in some shiny office at 30th floor.
Here we can see that FBI officers are as human as their colleagues in other places of the world...
I read through the pdfs on the linked site there, and if they are legit .. sounds like someone is .. well full of shit .. I don't know .. but the way I look at it if they are wrong on a fundamental issue like this (quote follows).
.. and both serve the purpose of fetching a page, and just as I will click the "Submit" button on this reply I will attempt a "POST" request on slashdot. Oh no I'm trying to hack slashdot, coz I'm not the admin .. bah .. my point is made .. what's up with that? they really should get their facts straight.
---
[...] different attempted actions on the host computer including "GET" requests indicating that a file has been requested for download, or "POST" requests where a file has been provided for uploadto the webpage. Generall, the webpage administrator is the only person who would attempt to "POST" files to the web page.
---
i know my HTTP protocol enough to know that get and post are essentialy the same
Sure, oh yes. Site's content is obviously a copyrighted material, and site's defences are to protect this material. Which makes Microsoft a company that produces technology and tools to circumvent the copyright protection. I'm holding my breath to see Ballmer arrested by FBI agents next time he goes out of Microsoft headquarters.
-- Si hoc legere scis nimium eruditionis habes.
Because any script-kiddy reading that article will probably get a hard-on, hacking in there. And they probably won't give a call in advance or leave their address and office hours with the FBI. Well, if i found a security hole on their site i sure as hell wouldn't inform anyone about it, and surely not them.
I really hope their zero-tolerance-policy blows up in their face and leaves them with the shit they deserve, so they serve as a bad example. With their action they only scare law-abiding folks from reporting security-holes to them, but no crackers who stand on the wrong side of the law anyway.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Wow - the american government seems to do everything possible to stop people helping each other.
It's forbidden to point out security flaws in commercial software (adobe!!)
It's forbidden to check software you _buy_ for security flaws, even when not telling anybody
It's forbidden to tell someone that they have a problem (or at least you shouldn't do it because you could go to jail for it).
I always though RMS and the FSF are taking it too far with their political opinion.
But are more and more things like this happen, I am more and more convinced that they are totally right. It's a moral obligation to help others, and anything that try to stop this, being the DMCA, other silly laws, or propritary software is just plain WRONG.
I live in austria, and things aren't this bad here, but they will certainly get worse.
Is entry through an unlocked door illegal?
Yes. Were you not aware of that?
BTW, good luck to you in the case where the homeowner says his door was locked, and you say it wasn't. The fact that you illegally entered the house will be enough to convince a jury that you picked the lock.
...no good deed goes unpunished.
...
Or, as my grandfather, God bless his soul, used to say, "facerea de bine, e futere de mama"
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
Don't tell it - Sell It.
The Real Lesson here is. Don't do a good deed. Turn a good profit. Their competition would love to pay for information about security holes.
You got to love Gov. that encourages industrial espionage.
- - If you are reading this, I'm not having a productive day.
Let old Frank know how you feel: governor@gov.state.ok.us
I do not fear computers. I fear the lack of them. Isaac Asimov (1920 - 1992)
Thank you for providing such a vivid demonstration of the fallacy of guilt by association. The association you're referring to (co-authorship of Learning Perl) occurred before Randal was charged. And as far as I know, there's no love lost between Tom and Randal, which makes your substitution of Tom for Randal doubly off.
Strike two. I couldn't care less about the number of digits in a Slashdot user number. Please have your mind-reading apparatus recalibrated, it's obviously way off.
However, he has the text of a letter received from the US Attorney for the Eastern District of Oklahoma stating that
So, they're presumably slightly beyond the "fishing for an admission" stage. I suspect that having an attorney really would be a good idea for him.fencepost
just a little off
What the hell is the deal with all of these idiotic analogies? I mean, come on. What happened is what happened, we should all be able to understand what happened without these preschool metaphors.
Just stop this right now.
ReadThe ReflectionEngine, a cyberpunk style n
If you really beleive these things, then you're making a great sacrifice by posting, exposing yourself.
If you think that posting as an AC is going to protect you, then you're a fool.
Even if things can't be traced at a network level, (which may be possible, depending on how far you claim to follow the conspiracy theorist's belief) they can still match your writing style to that of known criminals, activists or simply people that they have no proof are guilty of anything.
What's this Submit thingy do?
If you are flying from say, Heathrow to Mexico City, connecting in Toronto (I made that up), standard practice is that you do not have to go through canadian customs & immigration in Toronto, because you are not actually entering Canada officially; you are simply catching a connecting flight.
On my trip from Amsterdam to Costa Rica, connecting in Newark, they made us collect our luggage, go through customs & immigration, and then hand our luggage back in.
Normally, an airport simply keeps you in a secure area between connecting flights if they are not domestic.
You seem to think I'm whining about Customs & Immigration because it's 'annoying' or something.
Dude, let me tell you. If I'm travelling to the United States, then I fully expect to obey their laws and go through customs & immigration, etc etc.
But when I'm flying to central america, and my flight just happens to connect in Newark, and I'm not told until the last minute that I have to go through US Customs (which is NOT normal for a connecting international flight).. that disturbs me, because I may be carrying things in my baggage that I am not allowed to bring into theUS (But are perfectly legal where I came from and where I am going), or (though it's not the case at this point) I may for some reason not be permitted entry into the US.
And you are just the type who says 'You don't like it in the US? Look at countries with REAL problems'. Yep. Let me tell you.. if the US continues to erode it's people's freedoms as it has been, you will end up the same way.
If this case is to be prosecuted, it's because the PDNS are asking the police to do so and cooperating with them in the prosecution - it's not like the DMCA cases where a company can make an accusation and the Feds run with it even after the accuser backs off. The paper needs to understand the moral position they're in and do something about it. Among other things, that's a job for letters to the editor that really *are* to the editor...
Their advertisers ought to understand as well. The web page lists a Directory of them. Most of them aren't technical people; it's much better off to do a friendly "Hey, this guy tried to help out the paper you're advertising in and the publisher's gone ballistic and trying to get him jailed" rather than geekish flamage. Most of them don't have email addresses listed - most have snail-mail addresses, and while some have phone numbers, I'd advise against bothering them that way.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
While I agree with you on most points, what you're saying sounds an awful lot like blaming the victim. "He shouldn't have gone down that dark alley last night, that's why he was mugged." "She should never have dressed so provocatively, that's why she was raped." "They should never have connected that system to the Internet, that's why they got hacked."
The problem is not really incompetent system administrators per se. Most of them know their own lack of knowledge and are happy to have their shortcomings pointed out to them so they can do something about it. It's incompetent system administrators who are bent on staying incompetent. It's these kinds of people who prosecute helpful souls who point out their incompetence. They shoot the messenger who points out to them their own failings and calls for them to do something about it.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Stupid Sysadmin+Stupid Law Enforcement+Stupid Software=Brian West+Jail
Where do you want to go today? Certainly not jail...
No, seriously, I just come here for the articles.