Report Security Problems, Face The Consequences

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

Interesting Tactic

[zpengo]

Competition: "Oh, there is? Really? How does it...? Oh, geez that's really bad. It does that too!? You're joking? Wow, we'll get on that right away." (Hangs up phone and calls police.)

PHB: "Good work, Johnson! That'll show 'em!"

Naked Woman Seeks Sex at Airport

this is not a new thing

[Emugamer]

whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?

Re:this is not a new thing

Even big stupid companies do it!

Whistleblowers take 3Com to court over unsafe kit claim
By: John LeydenPosted: 15/02/2001 at 18:43 GMT

3Com is facing a multi-million dollar lawsuit from former employees claiming it knowingly sold unsafe products and conspired to file false police reports against them when they reported problems with its kit.

Re:this is not a new thing

[Lord+of+the+Files]

Actually a real anonymous remailer isn't going to include any IP address info. The cypherpunks' anonymous remailers throw away all identifying information, and are not supposed to log anything. In addition they are designed to be used in series, with each one only knowing who it got the message from, and who to send it to next. As long as at least one of the series of machines you send it through isn't compromised you're safe.

yeah

[vectus]

That's why I never do anyone good deads.. they just bitch and complain

But seriously, this guy deserves a medal, not time in jail, or fines. If a worker at a car company knew of a serious fault in another companies car, and didn't come forward, he would be guilty of murder (assuming people died from the flaw). If this guy didn't come forward, he would be partially responsible for the damage caused by the security flaw.

I doubt this case will go that far, though.. I just wish the government would realize how fucking stupid they are being.

Re:yeah

[jjsjeff]

I'll do you a good deed by teaching you how to spell DEED.

Depends..

[dj28]

It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.

Re:Depends..

[GoofyBoy]

Thats pretty sad that the FBI thinks they have a case based on this.

Doesn't his intent count for anything?

If think a ground floor window is unlocked, should I just talk to the homeowner or should I least verify it?

Re:Depends..

[w3woody]

What I do to test a hole like this is to create a small, new test page that is disconnected from the site, and upload it. Then, I may add a comment to some random HTML file burried in the site (something like a "hello world" comment at the top of the page) and try to replace an existing HTML file. Then, I try to delete the file I created in step one.

None of these changes alter the appearance of the web site, but they test if you can upload, change and delete a file on the server.

As to if this is illegal or not, one element of determining if something marginal like this is illegal is intent. This is akin to noticing if the lock on a gate is broken--you may wind up crossing a few inches inside the gate to determine if the door opens inward, so technically you are tresspassing. But only the most anal DA would try to have you put in jail for crossing six inches into someone else's property to check a gate latch that you then promptly warn them about.

Re:Depends..

[Syberghost]

It's not at all surprising, though.

I have met the FBI's "top computer expert" special agent in Oklahoma. He is probably a good cop, but he doesn't know shit about computers.

He asked for my card as a technical resource, but then I left that company (another SE Oklahoma ISP, as it happens, that doesn't have a lot of overlap with the two in this story) and I never heard from him.

Re:Depends..

[well_jung]

I think the message is: if the Emperor is not wearing any clothes, just look away.

This is, of course, why my $300 went to the EFF

Re:Depends..

[Metrol]

Yet he felt it necessary to "test" the hole one day later.

Throughout your post you are basing your assumption that he already knew there was a security hole on the server. How exactly does he know that? Do you send letters to webmasters hosting on NT's at random to let them know about security flaws? Unless he were to attempt a write back to the server just excactly how does he know that he can? If he can't, there's no security hole to report.

The guy uses Front Page for crying out loud! We're not talking about Ueber Geek here.

Re:Depends..

[werdna]

The great difficulty derives from the outrageously broad language in the Computer Fraud and Abuse Act and in the Stored Communications Act. Virtually every meaningful access of information to or from a computer without authority can be a basis for screaming crime, with just a few technicalities. Indeed, its nasty even in a civil context.

One incredibly important thing to take away from this communication is that if you are ever actually asked to do any kind of security audit, get a plenary release in writing that ANYTHING you do is authorized. If they don't want to do that, consult a lawyer who knows this area before you even begin to think about doing the gig. -- Its amazing how many accesses become "unauthorized" after the fact, depending upon the interests or politics of the day. Don't let this happen to you.

Re:Depends..

[Old+Wolf]

This isn't like someone's house.. It's like a shopfront in a mall, but with no glass, and the guy reached out his hand to check whether there were actually no glass, or whether it were just very clean so it appeared invisible

He's a witch...

[doorbot.com]

...burn him!

Re:He's a witch...

[Metrol]

So... if he weighs as much as a duck, he's made of wood.

And therefore...

This sort of thing seems to be typical

[lordkuri]

The bottom line is, with all the FUD in the media nowadays (CR, Sircam, etc..), anyone who finds a flaw in some type of system is gonna get shafted, period.

The only thing I see as a possible remedy to this is for people to actually start using all those anonymous remailers that are floatin' around, otherwise, be prepared to get bent over for trying to be helpful. I can relate to this personally, the only good thing about it is that I only got fired, not arrested. But how much more BS are people going to take before they start to take a stand against this kind of crap?

Re:This sort of thing seems to be typical

[feydakin]

So, if you're aware of someone taking increasingly large doses of drugs, just stand by and let them OD?

Yup.. Helps clean out the shallow end of the pool..

Re:This sort of thing seems to be typical

[Dyolf+Knip]

So, if you're aware of someone taking increasingly large doses of drugs, just stand by and let them OD?

Certainly not, but the point is that total apathy and noninvolvement is apparently the only way to keep from getting arrested nowadays. But it's only a matter of time before you get sued because you didn't help when you should have. Nice little catch-22.

Donations...

[hexx]

Do Something About This!

Re:Donations...

[szcx]

I suggest that before contributing to this defense fund, you learn a little more about the case. Go here and check out the Oklahoman News piece. There seems to be a few discrepencies between what West says happened, and what server logs are reporting.

Re:Donations...

[Eryq]

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1.

It doesn't say that all of them came from Brian West, does it? I'll bet a bunch of them were just Code Red....

The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

Like what? index.html? Or dir.gif? favicon.ico? Or maybe 4 shift-reloads of a page with 50 gifs?

I have yet to hear any sane theory as to why Brian would intentionally probe a website -- knowing that his accesses would be in the server logs -- only to phone them up and say that they have a security weakness. What would his motive be?

Occam's Razor applies. The simplest explanation is Brian's. Even if he was probing for weaknesses, he still did the right thing when he found them.

Re:Donations...

[szcx]

I have yet to hear any sane theory as to why Brian would intentionally probe a website

Want to play with Occam's Razor? How about this; Brian works for Cwis, he cracked the website then contacted the Poteau Daily News to "rescue" them from the incompetence of his competitor, Cyberlink.

I'm not saying that's what happened, just that you can't be sure that it's not what happened. People need to find out as much as they can from both sides of the fence before contributing to a "defense fund".

Re:Donations...

[zpengo]

How exactly do we know that this paypal account is valid, eh? I could make a killing by taking 5 minutes to set up an account and then posting on Slashdot (because, of course, such noble activism certain warrants enough +1s to bring it to the top of the comments). Brilliant scheme, no?

Naked Woman Seeks Sex at Airport

Re:Donations...

[CoreDump]

Also, for those who are adverse to PayPal, there is an Amazon Honor System account setup as well.

http://www.amazon.com/paypage/P3EMCVKJQX404O

I just donated. You should too.

Re:Who-hoo! Land of the Free!

And fortunately for you, one of the few that won't kill you for criticizing it.

Entrapment?

[Robber+Baron]

The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the 'main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.

I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.

Re:Entrapment?

[Jace+of+Fuse!]

I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.

And THAT is exactly what is wrong with this case. He commited no crime but they'll create a law and set some evil precident to make sure that what he did is in fact punishable by law.

Wasn't long ago that somewhere over in Europe someone discovered that one of those wired park benches allowed long distance for free, at Microsoft's expense? When those guys reported it, did THEY get arrested? No? Why?

Because Justice is supposed to protect people, not relentlessly punish.

Our system is screwed up pretty good. With laws and courts like these here in the US, who needs foriegn enemies?

Re:Entrapment?

[Velox_SwiftFox]

And the telling fact that shows this is true, that the prosecutor is working entirely on bluff and knows himself that he has no case, is that that prosecutor is threatening to accuse him under the "Wire Fraud" statute. Since there is no actual person being decieved by false statements from the accused in this case, the prosecutor is trying to use the "wire fraud is anything we don't like you to have done over communications facilities, even if it isn't actual fraud" theory. Which happily US courts have looked at and effectively told the US Jstice Department "Uh, no. Nice try but the law doesn't say that".

The DMCA strikes again!

[tangent3]

I don't know how, but I'm pretty sure that 'violating the DMCA' will eventually come up as the charge.

Important lesson

[MeowMeow+Jones]

Talk to the techs.

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Re:Important lesson

[atheos]

It appears to me that he didn't want to inform the security flaw to the competing ISP.
It looks to me like he simply wanted to sway the customers over to his company, and use the security flaw for the reason.
ya ya ya, I'll get modded down for this, but I do think there is more to the story.
He should have contacted the other company, and the FBI should do better things with their time.

Re:Important lesson

[Skapare]

Way too often, you get hold of someone incompetent. When that happens, more likely they realize they're in over their heads and that their fanny is showing and it needs to be covered up. I've dealt with webmasters and sysadmins before, and usually things don't get taken care of. But in the cases where I was able to get hold of someone in management that gives a damn (even if he isn't a techie) things do usually get taken care of and often quite quickly. So in the current (sad) state of affairs, if you can get hold of someone higher up in management that can at least understand that their is a problem, that is the best way to do it. I do realize that may come down hard on someone at the bottom who may simply have made a typographical error. But in the majority of cases I've encountered, were I the management in charge with what I know about these things, at least one head would roll.

Re:Important lesson

[jimmyphysics]

Nah, just mention it in #h4k3rz or something. Let the problem work itself out.

Re:Important lesson

[Faies]

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster?

If I were this guy, I would talk to the editor-in-chief rather than the techies working on the webpage in the first place. If no authentication is needed, the webmaster may not have been using a password him/herself. Since it would appear that no effort had been made to secure the page, then I would think the webmaster was slightly on the incompetent side and report it directly to somebody who might oversee the webmaster instead.

Erm...

[mindstrm]

Actually, most countries won't kill you for criticizing them... contrary to what you might be taught in school.

Generic Slashdot paranoia?

[nougatmachine]

I'm pretty sure that this has nothing to do with the Digital Millenium Copyright Act. In this case, the FBI seemed to be quite devious, not stupid. What does this have to do with Copyright violation? Nothing, since with the security whole it would be easier to deface intellectual property. Maybe you should consider spending some time away from Slashdot for a bit : ) Not every dumb government action is because of the DMCA, after all.

Re:Generic Slashdot paranoia?

[sigwinch]

I'm pretty sure that this has nothing to do with the Digital Millenium Copyright Act. In this case, the FBI seemed to be quite devious, not stupid. What does this have to do with Copyright violation?

He obtained copies of pages, which pages were subject to copyright, and which obtainment was without the authority of the copyright holder, and this was done by means of an device that circumvented access controls.

Looks as good as any other DMCA case to me.

Re:Generic Slashdot paranoia?

[Velox_SwiftFox]

So? It doesn't have anything to do with wire fraud either, and the prosecutor is grasping at that straw as an excuse too.

Re:Who-hoo! Land of the Free!

[sbeitzel]

This, from the only country that forces you to go through customs & Immigration even to handle a connecting flight.

No, Canada requires it as well.

Not the whole story...

[szcx]

LinuxFreak:

The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

Oklahoman News:

Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

With that in mind, let's not canonize Brian West just yet.

Re:Not the whole story...

I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.

Re:Not the whole story...

[whatnotever]

Read the comments below the linuxfreak article. Brian explains it in a bit more detail. He did use a username/password, but he got it from a file served to the public from their site.

And I think that the "hundreds of attempts" mentioned is just their normal daily load (their advertising claims to reach "over 1000" readers daily, and this is over a year later, right?). And if only *some* were trying to access these files and scripts, why even bother mentioning "hundreds of attempts" - that number is irrelevant!

Basically, he did a bit more than click on "edit," but it sounds like he really did just find the hole and check to be sure.

Re:Not the whole story...

[Zero__Kelvin]

LinuxFreak:

The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

Oklahoman News:

Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.


Hmmm. Oklahoma news vs. Linuxfreak on a technical issue ... and Oklahoma News reports what 'Burchette said' instead of what happened. Big surprise. Are you serious? Are you stupid? or perhaps your just not thinking.

Let's canonize him. Seriously. Next you'll be telling me that accessing /etc/passwd constitutes a cracking attempt!

Let's adopt the same philosophy the FBI and the prosecutors have - if we are wrong about this one, they are guilty ten other times that we can't prove. I don't have any problem treating them like they treat others!

Re:Not the whole story...

[szcx]

Still, if you can explain to me WHY someone who had just supposedly *malicously* hacked into someones web site would phone the MANAGER of the company immediately to explain what they themselves had just done, then I might consider your opinions as being more than just those of someone who can't think for himself.

You'll note that I didn't say Brian West was lying. I simply said there was more to the story. Relying solely on an article that supports one sides story is not sufficient. But hey, I wouldn't want to suggest that your opinions are those of someone who can't think for himself.

But since you've placed me in the "them" corner, let's look at a motive. How about... for money? The oldest motive in the book. Here's a hypothetical;

Brian West works for Cwis, he cracked the website then contacted the Poteau Daily News in order to "rescue" them from the incompetence of his competitor, Cyberlink.

Don't believe everything you read.

Re:Not the whole story...

[szcx]

Maybe I'm missing the obvious. But how the hell is that going to get him money?

Yeah, you are.

If someone calls you from an ISP saying your current installation (and provider) is insecure, do you stay with that provider? If you move, where do you go? How about that those nice folks at Cwis, they seem to be on the ball...

Wonder if I could be prosecuted

[ruebarb]

Two months ago, my firewall reported a scan from an IP...I was bored, so I checked it out and it looked like a home computer...on a hunch, I tried mapping to the \\www.xxx.yyy.zzz\c share with no password.

It was infected by a trojan that replicates off of unprotected C drive shares in Windows...I was looking at his C drive...and I thought about replacing everything on his desktop except for a note telling him he was infected with a trojan and his HD was open to the world.

Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

"I've never been to Vegas, but I've gambled all my life" - Ryan Adams

Re:Wonder if I could be prosecuted

[Reality+Master+101]

God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

Damn right. And you would deserve to be prosecuted. I'd have no hesitation on throwing your ass into court.

Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer. Chances are you would fuck something up while trying to "help me".

Just like you wouldn't walk into someone's house just because they forgot to lock the door, there should be zero tolerance for people breaking into computers for whatever motive. The "hacker ethic" that it's OK to break into people's property for "learning purposes" or "curiosity" must be put to cold, hard death.

Re:Wonder if I could be prosecuted

[Syberghost]

Two months ago, my caller ID reported a call from a number. I was bored, so I checked it out and it looked like a home number. On a hunch, I looked him up in the cross-reference directory and went to his house.

He'd left his door unlocked, and I was looking at his living room. I thought about leaving a note on his TV telling him he left his door unlocked and his house was open to the world.

Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

Re:Wonder if I could be prosecuted

[IronChef]

Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer.

And if your computer is like a runaway train, screwing things up for everyone else? And if you are a clueless Win2k PC owner who has been 0wned for weeks and still hasn't read about Code Red or applied patches? And your PC is attacking everyone else around you, repeatedly? I such a situation, I think you should lose just a bit of protection.

An infected computer is sort of a "public health" issue. It's like having the house next door on fire... I think you should be able to throw water on it. Or at *least* go tell the owner what's up.

But I can't do even that. I can't email the chump at 65.3.142.xx because he doesn't have a domain name. And the ISP isn't doing anything, so how can we help this person to clean up their mess?

The "hacker ethic" that it's OK to break into people's property for "learning purposes" or "curiosity" must be put to cold, hard death.

Agreed. But...

It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.

Unfortunately, we will have to wait until today's Nintendo generation is in office before such laws have any chance of being introduced. If my mom is only now coming to grasp PPP connections, how can I expect people of similar age and experience in the legislature to understand things like the Code Red virus? All they know is "computers scary."

Re:Wonder if I could be prosecuted

[davie]

Damn right. And you would deserve to be prosecuted. I'd have no hesitation on throwing your ass into court.

Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer. Chances are you would fuck something up while trying to "help me".

Just like you wouldn't walk into someone's house just because they forgot to lock the door, there should be zero tolerance for people breaking into computers for whatever motive.

Excuse me, but I don't recall having observed my neighbor's house walking over to my house and checking to see if the front door was locked, or tampering with the locks so that other intruders can get in, then causing my house to behave in the same way.

I think I can safely say that if I saw your house walk over to my house and start jiggling the locks, your house would be toast.

Re:Wonder if I could be prosecuted

[rnt]

It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.

I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely. I have got countless Code Red probes in my Apache logs and have seriously thought about trying to warn those people (it's just there are too many of those).
There's no way that could be illegal.

I won't be trying to "verify" if the root.exe exploit is available on those machines, since that could give me some serious trouble of someone were to pursue a claim against me.
No matter what my intentions are, that would be gaining unlawful access to someone else's machine.

The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.

Suppose a server I am sysadmin of has a security hole. You're trying to help me and being a white hat hacker you enter my machine and take a good look around and after doing so you create a nice summary of problems and even the necessary fixes.

At first sight, that really is commendable.

However, since I don't know you or your intentions can I safely assume you ment no harm and did no evil things to my machine? Should I take your word for it? For all I know you're just helping me to patch up my machine so no other evil hackers get in and you are the only one that is able to get into my now mostly-secure-but-now-backdoored-machine.

The consequence of you trying to help me is that I would have to retrace all your actions on my machine, which might not have been necessary if you didn't try to "help" me by gaining access to my machine without getting asking me in advance.
Surely I'd have to do a full security audit anyway, but now there is more information in the logs to be checked out.

No matter what your intentions are and how stupidly I misconfigured my machine, your attempt to help me just cost me a whole lot of extra time and downtime.

Informing people is fine and totally legal. Gaining access to their machines without their consent is illegal and rightfully so, as far as I'm converned.

The law I would like to see is one that holds people accountable for problems caused by those people not securing their machines (Code Red anyone... think of all the bandwidth wasted by that little prank). Better still, don't make it a law, ISPs could take it up in their conditions they are allowed to pull the plug when such problems aren't fixed within a certain period!

Re:Wonder if I could be prosecuted

[IronChef]

I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely.

Of course it isn't safe to communicate -- if the only route open to you is to exploit the compromised system. That is the situation many Code Red haters are in. I believe it should be permissable to get a message to the victim, even if it involves using an exploit, especially when their unsecured box is causing you grief.

The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.

Well, of course it is. If a law was passed it would have to take an extremely narrow definition. See below.

Informing people is fine and totally legal.

Sometimes. I was thinking specifically of Code Red. There are compromised boxen on my cable modem subnet. They attack me daily. There is NO WAY for me to inform those people WITHOUT exploiting the trojan they already have. You can use the Code Red root exploit to pop up a message saying "Fix your system, idiot" but it would be illegal to do so, since you are compromising their system.

That's the kind of communication I would like to see protected by some kind of law.

As it is, we have a 110% crazy system. People with compromised computers are all over the place... the ISPs can't or won't contact them directly, and we by law can't contact them either as individuals, because the required communication method makes use of a security hole. Only if the compromised computer has a domain name can you try to email the admin.

(I called ATT @Home and said, "I have a big list of Code Red infected computers in my area. Where shall I send it? After many minutes on hold the tech guy said I could try to send to to abuse@home.com, but it was *clear* they had no standing policy about this. I got a form email back from abuse@home.com saying thanks for the Code Red related email, steps are being taken. That makes me feel real good... The attacks are not slowing fast enough.)

Re:Wonder if I could be prosecuted

[ewhac]

Nice try, but bad analogy. This is more accurate:

Two months ago, I got some junk postal mail that was an illegal Multi-Level Marketing scam. I was bored, so I drove to the return address listed on the envelope. It was an apartment complex. I went inside the lobby to look around, and it was clear there was a boiler room operation set up in a couple of the apartments, churning out these MLM scams.

It was clear the complex owner didn't know this was happening on their property. I thought of leaving a note on the manager's door, telling him/her of the problem.

Thank $(GOD) I wised up. S/he could have had me prosecuted for criminal trespassing!

Schwab

Re:Wonder if I could be prosecuted

[Syberghost]

Two months ago, I got some junk postal mail that was an illegal Multi-Level Marketing scam.

Wow; the original poster says he saw an IP address in his web logs, and from that you can state with authority that it came from an attempt to scam him?

Holy shit, I better forward my web logs off to the FBI; I've unknowingly been the target of hundreds of scam attempts!

I once did something like this...But won't again!

[tjgrant]

Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.

I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.

They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.

However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

What to do?

[yogensha]

So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

This is a crappy situation.

Re:What to do?

[SCHecklerX]

Sue them for giving your private credit information to everybody in the world.

Or better yet, contact the FBI and let them take care of it, even if a phone call to a competent admin could have fixed the problem.

Re:Has common sense become less common?

[WindowsTroll]

You may argue that there is an obvious difference between cracking a system and exploiting it, but most 'joe bag-of-donuts' types won't see the difference. What you are fundamentally saying that breaking in to a computer is an OK thing to do - as long as you don't steal anything, and that for law enforcement not to feel that this is OK is indicative of their cluelessness.

How about an analogy that the 'joe bag-of-donuts' crowd can understand. Suppose you get letter in the mail that says

"Hi. I just wanted to let you know that I stopped by your house the other day, and I was able to easily break into your home. I was able to jimmy the back door, and slide open two of your windows. After I entered your house - since I saw that the exterior was insecure, I decided to see how secure the inside of the house was. While doing this, I was able to find your credit cards in your wallet, so your personal information isn't safe in your house. And, you left your gun cabinet unlocked. I just thought that I should share this with you since I am only interested in your security.

The Cracker"

I would argue that 99.9% of the people in this country would say that this person has broken the law and should be arrested, but you are arguing that since they didn't exploit what they found, that the clueless cops should leave this person alone. Common sense dictates that the person should be arrested, and the cops aren't clueless when they do this.

And the moral of this story is...

[WIAKywbfatw]

...never be a good samaritan, because no one will appreciate your efforts.

Imagine this conversation in your street:

Guy 1: "Hey neighbour, you've left your front door wide open and I think the local hoods are eyeing over your TV and VCR system."

Guy 2: "What? You say you saw my front door open? How did that happen? I couldn't have left it open, not me. You opened it, right? I'm calling the cops buddy."

Only in America.

Re:Let him rot in jail!

[Niksie3]

I'm going to explain this very, very, very simply. Say if whitehat A where to find a security hole in your companies computer, and would notice you. And you where to fix it. you thank him and (possibly) send him a small check.

Now... it appears that you would rather have the white hat see that your computer is vulnerable, not notice you because he doesn't want to go to jail. And start programming something else. Then, a few weeks later a script kiddie comes by, sees a vulnerable machine, grab all the passwords. and deface every computer on your network he could find.

Take your pick!!!!!

tragic, but not surprising.

[Anonymous+Admin]

FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?

I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.

Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.

You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.

Re:tragic, but not surprising.

[mikethegeek]

"You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it."

Yep, that's exactly what you are doing by helping them out. If we, as a profession, quit making victims of ourselves, the problem will take care of it'self. For one thing, the government is as likely as incompetent with computer security as it is with almost everything else it does (such as deliver mail). What it's VERY efficient at, unfortunately, is using force, and at manufacturing crime for profit (drug war).

Remember, FBI and other law enforcement types are trained and propogandized to believe the WORST about us. Don't play into their hands. I know I'm sounding off the deep end on this, but with our government UNANIMOUSLY rubber stamping laws like the DMCA, why should anyone be surprised at ALL that they will do such things even to those of us who try to, GOD FORBID, do someone a favor?

The only mistake this guy made was in not demanding $thousands up front as a "CONsultant" from the site in question.

Sad, very sad

[mikethegeek]

It's sad indeed that in 2001 America, we've seen truth in the old adage "no good deed goes unpunished".

I suppose in today's legal climate, the only way to treat your neighbor is callousness, at least, and stay out of jail. Help your neighbor, get 1-5 years.

My suggestion to all those who are admins/coders/hackers/engineers, keep it to yourselves. I suppose we'll secure our systems, and let the government and the rest fall prey to script kiddies and our silence until they learn the Darwinian lesson of the consequences of their stupid 21st Century "digital age" laws.

No good deed goes unpunished

[YIAAL]

This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.

Re:No good deed goes unpunished

[mmol_6453]

It's not likely, but it IS possible that the lack of increase in crime is a result of the increase in budget.

Re:No good deed goes unpunished

[isaac_akira]

Except that it is law enforement's job to investigate crimes, not prevent them.

If I tell the cops that I know Joe is going to steal my car tonight at 11pm, they aren't going to try to stop him. But if he does steal my car, they will arrest him. Sure, they might wait and watch as tries to break in, and then nab him before he gets away, but they won't say "hey, don't steal that car" before he does anything.

where's the rest of the story

[linuxpng]

The story went into no details on what he did besides click 'edit' to compromise the site? It didn't actually state what he was formally charged with other than mentioning 'wire fraud' which could have a wide varying set of meanings. As part of being in this community I think it's up to us to dig and find more information before making rash decisions. After all, aren't we criticizing the FBI for their, apparent, rash decisions?

Re:Has common sense become less common?

[rosewood]

But this guy didn't even do this.

What he did was walk by the house and see the front door hanging open when no one was obviously home. He then walked up to the front door and saw that sure enough the door was open. He never went inside. So he came back the next day and said heh, your front door is open.

No one in their right minds would arrest a guy for that.

part of the problem is incompetent sysadmin

[Skapare]

My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

Re:part of the problem is incompetent sysadmin

[Skapare]

Just install the secure patches, or find out what the patch is to protect against and find another way to do that. Did you block Code Red?

Re:part of the problem is incompetent sysadmin

[Skapare]

So if someone breaks into my computer system and downloads what turns out to be a virus, and infects his own machine as a result, losing thousands of dollars of business due to lost or exposed documents, etc, he could sue me?

Re:part of the problem is incompetent sysadmin

[multicsfan]

None of our NT systems were vulnerable as best I could tell checking for things that make your system vulnerable. On the other hand, those nt systems running IIS are running IIS2 or 3 as the newer ones break all the custom software the company has invested in.

Re:part of the problem is incompetent sysadmin

[mpe]

The law is today basically covering up for administrator incompetence.

Welcome to 21st century USA where the aim of the law is to protect "corporate citizens".

Re:part of the problem is incompetent sysadmin

[Skapare]

You got that right!

Something similiar happened to me

[Kiwi]

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

Re:Something similiar happened to me

[Kiwi]

The bug is that, when a comment is newly submitted, it appears blank for a minute or two, and will intermittently go from being blank to unblank.

- Sam

Something similiar happened to me

[Kiwi]

(Sorry about the blank comment. The new Slashdot code is still really buggy)

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

Re:Has common sense become less common?

[wolf-]

Interesting side thought I'v had.
What about good samaritan laws?

Can one be prosecuted in some states for finding a problem and NOT reporting it?

Re:Wire Fraud

[J'raxis]

This is probably similar to how you can sue someone if they dont get convicted in criminal court for the exact same act 18 USC 1030 is federal, wire fraud might be a state crime. Yet another end-run around the Constitution.

Re:Wire Fraud

[mikethegeek]

"What? Huh? First off he the prosecutor goes for Title 18 Sect 1030 and doesn't get a conviction, he can't just go after him again for wire fraud instead. Double Jeapordy."

Morally, yes, legally, no, because it'd be a different charge.

Remember, the "justice" system is about nothing of the sort. It's about the SYSTEM. Justice is, at best, an INTENDED side effect. Which can be done away with when you have corrupt judges, law enforcement, and prosecutors. And there plainly are some or all of the above in this instance, even though it may not be DELIBERATE, but instead incompetence.

However, of those with the power to use force to take away freedom, and the power to imprison, I believe incompetence=corruption. There IS no excuse, be it deliberate, or a case of ignorance, for the abuse of government force against the individual. Just as ignorance of the law is no defence for the citizen, cluelessness shouldn't be for the government.

Well, what did YOU do ?

[aibrahim]

I emailed the DOJ, President, VP, My US Senators and Oklahoma Senators about this case asking them to look into it. Here is the message I sent:

I read about a case regarding Brian K. West in Southeast Oklahoma at:

http://www.linuxfreak.org/post.php/08/17/2001/134. html

If the information contained therein is correct, then there is already a SERIOUS miscarriage of justice going on.

Is it the policy of the United States , the Bush Administration and the Department of Justice to prosecute well intentioned citizens for attempting to help a stranger in an entirely benign manner ?

Would the DOJ prefer that the editor never have been notified about the security issue accessible through routine use of Microsoft software ?

What about the implication for other "good samaritan" acts ? Does the DOJ intend to set a precedent allowing any confused person to prosecute and/or sue anyone who helps them ?

I call on the DOJ to investigate the legal and technical competence of the attorney and law enforcement personnel in this matter.

Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.

Re:Well, what did YOU do ?

[Absynthe]

You know, I went to the trouble of emailing Don Manzullo, my representative in Northern Illinois. He makes it something of a bother to even do as his office doesn't accept email from non-constituants. I put my thoughts together regarding the dimitri case and fired it off.
Two weeks later, I get this big mannila envelope with a little four line form letter thanking me for my interest in the case and this huge packet of press clipings regarding the case. Ever since then, every week like clockwork I get this huge packet of clipings in a big mannila envelope from Don.
I have no idea what I accomplished in writing in the first place. I guess it's better than nothing. I didn't really expect the representative to call up thanking me for pointing out the case and asking me out to dinner to discuss it further.
Did any of you write your congressmen and get some different responce?

Re:Well, what did YOU do ?

[Nailer]

Don't live in the US, but for those who do here's the contact details for Poeteu Daily News and Sun. Its prolly being prosecuted by federal organizations but getting PDNS to ask the government to to persue the case would be a good start.

Re:Well, what did YOU do ?

[hey!]

That's a nice short letter.

Why don't you write in out in long hand and send it by e-mail so somebody will actually read it?

With e-mail, you are lucky if some staffer bothers to count the number of e-mails on each side (which they won't unless they're flooded).

I was thinking -- if you really wanted to get attention for a case like this or the Sklyarov affair, you need to make a phenomenon that can't be ignored. Like if every American who reads Slashdot wrote thier opinion on a brick and mailed it to their congressman.

Re:Well, what did YOU do ?

[legoboy]

I emailed the DOJ, President, VP, My US Senators and Oklahoma Senators about this case asking them to look into it.

The chances that a single one of them will ever see your email are somewhere between zero and nil. You would have infinitely more impact if you arranged a meeting with your own representative, and went about informing him face to face.

Contact Wally Burchett and the Poteau Daily News

[pclinger]

Mr. Wally Burchett has some serious issues, and
the Poteau Daily News has something coming to them if they think they can get away with this.

Everyone should start writing letters, call the editor, etc. From their Web site:

Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953

Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.

Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax

Email:
pdns@pdns.com
publisher@pdns.com

If you write letters, direct them to Mr. Wally Burchett.

As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.

Re:Better off dead

[rjamestaylor]

You're alive, you're alive, you're alive, you're dead.
...as opposed to a slow one;
You're alive, you're alive, you're alive, you're dead.

Ok, so you're saying there's a fixed number of "alive"s before "dead."
My only question is: How can I lenghten the polling on that status check?

In a related story

[Molina+the+Bofh]

Ten firemen of the Oklahoma city were arrested early this morning for trespassing.

The squad alleged they broke into a house because it was burning, and they received an emergency call that said there were people trapped inside it.

Instead of innocent trapped civilians, they unknowingly tried to rescue undecovered FBI agents.

The firemen broke the main door and entered into the burning house, when they were immediatelly charged for vandalism, trespassing and attempted burglary.

They alleged they were trying to save lifes, but this is no excuse to FBI agent Smith, that said:

"What we are facing here is a very serious crime. The entered the house without written permission from its owner. They work doesn't matter. Or do you think a teller can enter a bank's safe and get money without permission ?"

If the firemen don't get convicted, then the prosecutor woult try for arson.

Re:Has common sense become less common?

[Bobo+the+Space+Chimp]

There's always another side to the story.

The business owner should have been grateful upon hearing, "Hey, there is a massive security hole in your web page. Here's how to fix it."

Instead, he felt threatened, recorded the callback, and called the police. Why?

That's what I want to know. I want to hear the tape.

Free the tape!

Common Sense and Peeping Toms

[Gefiltefish]

While this individual seems to have done a "good deed" in communicating a security flaw and this pursuit by the feds is excessive, the issue should at least get a fair treatment from both ends. Just imagine the following coversation:

Concerned Citizen: "Mr. Smith, I'm calling because I noticed that your bedroom blinds are partially open and I can see your wife walking around in the nude. I thought I'd bring this to your attention so you can remedy the situation before more malicious sorts exploit the breach in your window dressings."

Smith:"Are you sure about this?"

Concerned Citizen: "Yes sir. Just to be sure, I pulled out my binoculars. I can tell you that your wife has a pierced left nipple and a tattoo of Bugs Bunny on her right butt cheek. Oh, and I'm sorry about your lack of gift. They say that size really doesn't matter anyway..."

Smith: You bastard!!

Re:I once did something like this...But won't agai

[snakecoder]

A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.

The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.

Letter via email

[SCHecklerX]

Since I don't have the cash to contribute right now, I did send an email to the address given at the end of the article. Here is what I wrote:


Hello,

I just read about a case involving Brian K. West. The URL is:
http://www.linuxfreak.org/post.php/08/17/2001/134. html

From everything that I have read, this person did absoultely nothing
wrong. I fail to understand why he is being persecuted for simply
notifying somebody of a *VERY SERIOUS* security hole on a service they
offer to the entire world.

Please consider throwing this case out. Mr. West has undoubtedly
already lost much time, money, and reputation due to this injustice.
Had he done the same thing for me, I would have immediately sent him a
message of thanks and IMMEDIATELY secured the site. Aparently, weeks
after the initial warning that Mr. West was so kind to give the poteau
daily news website administrator, this hole (really a misconfiguration
on the administrator's part) still was not closed.

Allowing frontpage publishing to the entire world is a serious
potential vulnerability. Doing the same with no authentication
mechanism is just plain stupid, especially for a news site whose
integrity is at stake.

If you would like to see other people's views on this incident, please
visit:
http://slashdot.org/article.pl?sid=01/08/18/170259 &mode=thread

-- greg, webmaster@no.slashdotting.desired

--
Greg Spath
gspath@no.slashotting.desired
http://no.slashdotting.desired

Re:Wire Fraud

[mmol_6453]

Here's the law entry for what he's charged with, and Here's the reference for the Oklahoma wire fraud law.

Hey, I got an idea...

[BierGuzzl]

I"m gonna make up an even better story with even less sketchy details about what I actually did and what the cops charged me with, leaving very clear info on how to help donate money to my cause.

For all of those tempted to donate money, make sure you check out the story first!

What about MS?

[multicsfan]

Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?

This (fictional) story ends happliy

[griffjon]

Actually, the FBI agents weren't trapped inside, they were just debating who would go to jail after one agent pointed out that another's fly was open. Was the person with the lazy zipper a sex offender, or was the person who pointed it out a peeping tom? By the time the firemen got there, the agents had all handcuffed each other to each other. Local police commented that this was obviously some arsonistic sex cult, and that the FBI agents' names should be listed on a public bulletin board. The NSA pointed out that this would unnecesarrily expose the agents, so the cops were arrested. The DoJ brought the case before the Supreme Court and thus was the entire american 'justice' system brought to a halt.

The firemen, having no one left accusing or prosecuting them, returned to life as usual, and the nation breathed a sigh of relief as good samaritanism was, if not legal, at least accepted again as there was no one to prosecute the cases left.

Good samaritan laws

[Mark+Bainter]

Hrm. I think we need updated/slightly modified good samaritan laws to cover this sort of thing. This is even worse than situations GS laws were meant to cover. Currents are if you cause damage accidentally trying to help. He didn't even do that. It's like rescuing a man from drowning and having him sue you for doing so. To quote John Stossel: Give me a break.

Per the fbi afidavit

[WindowsTroll]

he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.

So, going back to the house analogy, he is guilty of going inside and looking around.

The details of the affidavit are from Brian West's own web site, http://www.bkw.org

Re:Per the fbi afidavit

[H310iSe]

Yea but, I mean, 20/20 hindsight is great but I probably would have done the same thing this kid did. Think about it, bored at work, poking around, find big hole. You're a geek. What's the first thing you want to do? Look around, feel the edges, learn, explore. This is what has gotten you to where you are today, you've been rewarded for this (natural?) prediliction so you (naturally?) continue. You're not Evil. You don't do anything bad but you also don't immediately shut down everything and call the ISP. You play first. Then you do what seems like the right thing (again sans 20/20 hindsight) and call the person affected. It's a little dig against your competitor that you tell thier client and not them. Fine.

I would have probably done the same thing and never even concidered that I could get in trouble. My intenstions and actions were all good.

Now as mentioned Joe-6-pack will not understand this if the facts are spun a different way by a skilled and, IMHO, malicious prosecutor (who should know better but since 5-oh can't catch any *real* criminals they have to royally fark the innocent ones). I can see the courtroom now. This kid is screwed.

This is an important reminder, maybe our foresight will be a little sharper through his hindsight.

Re:Has common sense become less common?

[Skapare]

That analogy does not fit. A more correct one would be:

Hi. I came by to visit you at your house yesterday, and when I knocked on the door, it just swung wide open. Did you know you have left it ajar? I yelled to see if you were at home, but you weren't. You know someone might steal the computer you have set up right at the front of the living room there. Well, I closed the door for you. Since I don't have your key I couldn't lock it. You really should try better to keep your door closed and locked, but if not, at least move the computer to your back room so someone less honorable coming along won't walk off with it.

Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.

The way we make laws is a security flaw

[blair1q]

Anyone with a bad idea and enough money can get any nonsense turned into a law.

--Blair
"Democracy is a wonderful thing. I wish we had some."

wierd tactic - details of Title 18 Section 1039

[hillct]

One item not mentioned in the article is the details of Title 18 Section 1030 which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.

--CTH

Re:wierd tactic - details of Title 18 Section 1039

hillct wrote:

The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

Your point about state lines aside, the words "protected computer" jumps out at me. From what I've read, I can only draw the conclusion that the computer is not protected and that, in fact, the suspect in this case was contacting the other company to inform them of this fact. Sounds to me like this FBI team are just looking for something to do to justify their existence.

Re:wierd tactic - details of Title 18 Section 1039

[hillct]

The previous poster (the AC) makes a vary good point. At what level should a computer be considered protected? IS a computer considered protected if there is simply the capability to set a password but none is set, or does there have to be an overt act by the administrator to attempt to protect a computer (like set a password, or read the manual or something).

Along the same lines, could weather or not a computer is protected be established by how difficult it was to gain access? Perhaps the computer could be said to be not ptotected because the guy didn't have to take any special measures to gain access (except click the 'edit' button in FrontPage. This is a legal question and not one I have the answer to.

--CTH

Re:wierd tactic - details of Title 18 Section 1039

[emmons]

Please, learn english if you want to write in it.

"weather" is not the same as "whether."

Death of a hobby

I am a graduate chemistry student. I do chemistry in a laboratory belonging to a University, and order all my supplies from approved companies who, in turn, will not sell to the general public. Old folks tell me that there was a time when one could walk to a drugstore and buy some chemicals! Yes, sir, I'd like some potassium permanganate, some methylene chloride, and some tantalum azide. You do know what you're doing, son, don't you? Yes sir, I do. Okay then, be careful.

You try doing chemistry as a hobby at home today you will find yourself in jail. Even if you never make any drugs or bombs, it will be assumed that you are making drugs and bombs. The possession of any chemicals which could conceivably be used for making drugs or explosives will be taken as evidence that you are making drugs and explosives - even if you aren't. Even if you have careful notebooks which explain what you're doing, it won't help you. People have been sent to prison for possession of three-necked flasks and triple-beam scales!

Computer security has, I think, gone the way of chemistry. Don't do it at home! I am by nature a paranoid person - perhaps this is to compensate for my lack of ability to "read" people and take hints - it would never occur to me to do any white-hatting and give my real name. I would have notified the newspaper jerks by email from an anonymous terminal or by disposable calling card from a payphone. The boy in this case should have told his boss at his company, and let his company decide whether to call or not. Instead, he goes off and gives the impression that he goes around finding holes in systems, on his own, all the time! If security is your hobby, go and get a job at an actual security company and do it full time. Or don't do it at all.

Pick your analogy

[Plasmic]

In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read

ENTER HERE -->

TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?

So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.

We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.

Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.

letting no good deed go unpunished

[Wansu]

Many of us have pointed out problems with web sites but few of us have been keelhauled for it. This is a chilling development to think that FBI agents are so eager to be promoted for appearing to be cyber-savvy with such grandstanding symbolic arrest-like-gestures and ISP managers trying to cover their incompetent butts by crucifying a well intentioned guy like this.

Moral: Stop reporting security holes!

Re:Donations...( I *do* know him )

[CoreDump]

Actually, I do know Brian on a personal level. I've known him for a few years. I work for a national ISP based in the Chicago area, and have collaborated with him on some projects in the past, so I know who he is, what his convictions are, and he's certainly not guilty of anything malicious in this case. I'm not posting as an AC, so feel free to check me out as well, if you are convinced this a conspriacy to dupe the Slashdot community.

If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.

I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).

If you don't believe in this case, donate to the EFF instead.

Parallel Senarios...

[Pollux]

Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."

Police: "Stay there for a while sir and watch things until we arive."

<I>15 Minutes later...</I>

Passer-by: "I'm glad you made it. I was getting tired and..."

Police: "You're under arrest for theft and breaking and entering."

Yea, that makes a lot of sense.

Re:Parallel Senarios...

[loraksus]

who would steal from a k-mart?

Re: Has common sense become less common?

[3247]

If you make an anology, you gotta make a correct one:

Hi. I just wanted to let you know that I stopped by your house the other day, and I saw that your front door was standing wide open. The next day it still was wide open. So I went in to see whether there was anything wrong. Everything looked ok except that I found what looked like a key for your safe lying open on the table. Just curious how stupid you really are I tested it and it was really fitting. I think that you have a security problem.

(Note: In real life, thie might constitute trespas. However, there's no such thing as digital trespas. In real life, you'd probably just call the police.)

Re:taping conversation illegal?

[mcc]

Isn't taping a phone call without both party's knowledge/consent illegal?

The legality of phone call taping is, as far as i can tell, governed by state law. Therefore the legality of taping a phone call without the consent of both parties would vary depending on what state the phone call took place in. (If the call happened across state lines, i assume federal law would have jurisdiction.)

I found this rather informative webpage on google, and it claims that in Oklahoma you only need the consent of one of the parties involved in order to record a phone conversation. So your answer is: No.

(P.S. : That page also claims further down the page that federal law only requires the consent of one party, and that federal law also takes jurisdiction if you go and make the call from an indian reservation or the lobby of a federal building. Which is kind of interesting and probably totally accurate, but not very relevant considering both parties involved here were in oklahoma.)

Entrapment and other issues.

[Restil]

First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.

If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.

Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.

All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.

How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.

This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.

As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?

-Restil

Re:Entrapment and other issues.

[mpe]

He is being charged with d/ling a Perl script which the company values at $5,000.

Enormously inflated values are hardly uncommon in cases of downloaded files. $5,000 just happens to be the minimum figure for the FBI not to have told them to get lost.

Re:Entrapment and other issues.

[Restil]

Yes but the average person knows that killing someone without reasonable cause (self defense) is illegal. However, say a cop told me to walk over to him, and by doing so I crossed a grassy median and after I cross it, he arrests me for walking on the grass, since thats illegal. I may not have known that, especially if there were no obvious signs around.

Its not that law enforment told someone to break the law. They were posing as the legitimate users of the website/servers in question. Shooting someone is illegal in all cases (except those rare exceptions). I can't typically be ALLOWED to kill someone (yes, there are exceptions). However, the rightful owner of a house can give me permission to do any number of things to that house that would otherwise be illegal if permission wasn't granted, and when permission is granted it is no longer illegal.

If the sysadmin knew that what he was doing was potentially against the law, he probably should have gotten the request in writing. Obviously he didn't think much of someone asking him to break into his own site to demonstrate the flaw. But this was very much a setup. And more importantly, this is a victimless crime. Prosecuting this person accomplishes nothing, but it might make someone out there feel safer at night because some evil haxor they don't know and never hurt them won't be able to hurt them now or however someone wants to justify it.

I still say... what can you do? If we eventually reach the point where the very act of reporting a security hole is a crime, then we might as well go to the trouble to patch the holes and never say anything about it. I mean, after all, what difference will it make? We're just as liable, but one of those solutions is guaranteed to have the security problem taken care of.

-Restil

Re:Has common sense become less common?

[NoMoreNicksLeft]

This is like some stupid junk mail printing machine printing up the combinations to the company padlocks, and then sending that junk mail to you. This guy, seeing that it was something very bad, decides to be nice, and call the company up, letting them know what happened.

Or, a better example. After closing hours, you are walking down the street. Your shoelace becomes untied, and you lean up against a storefront, to tie it. Oops, but the door isn't latched, and you tumble inside. Now, do you rush off, and never get caught? This guy didn't.

Do you do like some do, write a small note, and place it inside (the analogy would mean leaving a webadmin.html with the info), which while technically illegal is still in good faith? This guy didn't.

He calls them up on the phone, and informed them of the security flaw. He didn't publicize it, thereby inviting script kiddies. His access is something that is publically and technically acceptable, and he didn't even take a single step beyond it. He acted in good faith, even though competitively he shouldn't have aided the competition, nor was he obligated to do so, ethically or legally.

The only real crime here, is being committed by the prosecutor. He should be charged with false proseuction, and if there is no law for that, treason. Subverting the laws of this country, and attempting to convict someone even though you know them to be innocent, is certainly treasonous. Plus, treason allows for the death penalty, if I'm not mistaken, a just punishment and excellent deterrent.

[OT] Re:Who-hoo! Land of the Free!

[locutus074]

Having formerly worked for an airline, I can tell you that the reason is because Frankfurt is the first stop in the country of your final destination.

Think about it this way: Suppose you embark from Podunk, Idaho on your way to Frankfurt, with a connection in LaGuardia (New York City) each way. (Assume that Podunk Regional Airport has no customs and immigration facilities, but it wouldn't matter if it did.) On your way back, you'll go through customs and immigration in New York, because after New York, it's all domestic flights.

It works the same way going abroad.

Re:Has common sense become less common?

[Zico]

It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.

How is what he did sensible? He works for company X. On day 1 he finds a misconfigured server run by company Y, his direct competitor. He spends this day poking around two of the sites hosted there, testing out usernames and passwords that he found on at least one of them. Does he tell anyone who could fix the server anything? No. Not until the next day does he let anybody know about it (assuming he didn't share the info with his buddies), and when he does so, does he call the server operators? No, he goes to company Y's customer and tells them. And he doesn't tell their IT department, he tells it to a newspaper editor. He's not some good samaritan, because he never did tell company Y about the problem with their server. He was still showing people the hole 10 days after he found it.

The sensible thing to do, which I've done a few times, is as that the instant he realized that there was a hole in the server, he should've immediately quit playing around with it and immediately called or emailed the customer or company Y. That is, if he really wanted to wanted to be a good samaritan. If he didn't want to be a good samaritan, that's fine, he doesn't have to call, but you don't sit there poking around the hole after you realize that it's there.

Wrong Lesson

[fm6]

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.

Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.

Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.

Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.

The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.

So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.

Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.

I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.

Re:Wrong Lesson

[Winged+Cat]

Umm...if the guy is totally not guilty and can prove it easily, to the point where the FBI knows or should know that this person is no criminal (at least, no way could they get a jury conviction), isn't prosecution beyond that point grounds for countersuit for harassment or something, in which he could recover (at least) any and all legal fees?

Re:Wrong Lesson

[fm6]

...isn't prosecution beyond that point grounds for countersuit for harassment or something...

No it isn't. My argument was based on a common sense notion of what is criminal behavior. A law enforcement official has no obligation to accept my common sense notions. He or she just has to have reason to believe that the law might have been broken. Since the law in this case is very broadly drawn, that doesn't take much.

Geeks are so one-dimensional

[dmccarty]

When Mr. Burchett called back, he recorded the call and asked for details on the server problem.

I find it so ironic that geeks and programmers (myself included) are so one-dimensional about life. On the one hand, we spend enormous amounts of time and resources securing machines from outside intrusion, and ridicule those who don't (e.g., Microsoft).

On the other hand, our entire lives are an open book to any law enforcement agency, businessperson or non-tech professional because we just don't know enough about how life works.

Here's a clue: don't let an angry guy you don't know record you on the phone! Federal laws are very strict about the legality of recording telephone conversations. If both parties do not agree to the recording, the person doing the recording is commiting a crime.

Maybe if we secured our own lives as well as we did our servers these problems wouldn't happen to us. Why do we blame the sysadmin if someone breaks his insecure box yet blame the government if they break into his insecure life?

Everyone a winner?

[Apuleius]

You realize time or no time,
a felony conviction can rip you
a new career asshole on a semiregular
basis for the rest of your life.

Give me an I

[fm6]

Yes, I know this fact. When I said "everyone's a winner" I was using a special form of expression you should acquaint yourself with.

Reporting a security problem

A couple of years ago I found some strange charges on my credit card bill. Someone used my card to download commercial software. I did my own investigation and found that:
- when I recently subscribed online to an ISP, all the data was sent to one of the employees. That employee was probably responsible for billing.
- I could read /etc/passwd using browser and my dial-in password. I could find who worked for the company (they used ksh, others pppksh)
- I could read ALL MAIL BOXES using browser and my dial-in password. That included mail box of that employee. I found credit card numbers of 4 other people there.
- I could CHANGE ALL MAIL BOXES with ftp.
I also found what account was used to read e-mail with my credit card number.

I sent an email to the boss (I found who the boss was by looking in the employees' emails) and there was no reply. Then I edited the mail box of the billing employee ("I am interrupting your reading to inform you about such and such problems...").
Only then they fixed it. Oh, and I talked to the sysadmin, and he did not know what is sticky bit.

Now: should I rot in jail?

New Witchhunting

[johnos]

Now that the commies are out of the picture, A new villain is needed. The Chinese are maturing nicely, but won't be ready for some time. Child molesters and kiddie porn perveyors have filled the gap, but people are getting bored, and most of them are in prison by now anyway.

I know, let's get the geeks. Nobody knows what they do, and they look funny. Besides, they are responsible for the dangerous notion that democracy is more than dutifully not voting in elections.

This is no good:

[ColGraff]

From the article: "They also refused to promptly provide a copy of the Search Warrant when one was repeatedly requested."

That, boys and girls, is a violation of a defendant's rights. A big one. We don't need to worry too much about this case, I think - a competant lawyer will get it thrown out on those grounds alone. I'm just surpises at the FBI stupidity. Wait a sec...no I'm not. :-)

FBI should have powers taken away

[FooRat]

At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked

I can just picture this situation, these FBI agents were probably sitting there thinking "wow, this hacker dude is hacking into the site right in front of us, we've really got him now. This is too easy!".

Seriously, if an organization such as the FBI doesn't even have the know-how to tell the difference between "hacking malicously" and "letting a company know they have a security problem", then their authority should be taken away from them - unless they can prove they actually know what they are doing - otherwise, we have a serious problem. You can't give someone so much authority and power to investigate crime when they know little to nothing about what they are supposed to be investigating. Thats scary.

Don't trust the Oklahoman - HORRIBLE REPORTING

[lonesome+phreak]

I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.

He has not been charged!

[small_dick]

Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.

Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.

They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.

They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.

If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.

There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.

So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".

As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"

He recommended that I call the Detective and state:

"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".

Total cost for a real attorney : $0.00

I was never arrested, charged or contacted again!

Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.

Re:He has not been charged!

[sharkey]

IANAL, but that sounds suspiciously like harrassment.

Re:He has not been charged!

[small_dick]

IANAL either, but I believe it's actually protected free speech.

The detective was pushy with me, insistent. Remember, I was not charged, arrested or mirandized. More or less, it's consenual communication. I had little experience with the law prior to this incident, other than things like tickets.

It's been decided by the supreme court that the police are not bound to tell you the truth during an interview. There are bounds, but they can say odd things like "What if I tell you I have an eyewitness? Will that help you make the right decision?" (BTW, the detective used this exact line on me!) Note that he did not claim to actually have an eyewitness.

Now that I look back on the whole thing, I have to say these people are pros. They have guidelines, and they know exactly what they are saying and doing. They have years of experience and training in getting convictions, in any way possible.

Another tactic was telling me that "The truth, your guilt or innocence, does not pay my salary. Convictions do. I can convict you -- I've been convicting people for 15 years, and I've never lost sleep over it. I'm one of the best. I hate to see you make a decision to go to trial and ruin your life. Do the right thing and take the lessor charge."

Probably the thing that hurt me most, and I know now it was all an act, was when he recounted a horrible murder that occurred some years earlier. Everyone in the city knew the details, the rape and murder. This detective claimed to have busted the guy, and he gave me a horrible look and said "You're just like him, aren't you? I know criminals, and when I look at you I see a monster. I'm going to keep coming after you, and I won't stop -- ever". Well, for someone like me, I almost started crying, as ashamed as I am now to say that. The bright lights, the investigation room, the two of us alone, eye-to-eye across the table. The big police banner above his head on the wall -- everything made him look correct and invincible.

Another reason it's not harrassment is that he did not call again once I asked him to stop. My dad's lawyer made that clear -- that I should not be asked any more questions or called again until charged.

Hope this helps people understand what they might have to face someday -- always help the law, but don't hurt yourself in the process. When you sense that the line has been crossed -- that they are considering you a suspect -- stop talking!

I hate to think how many "people of lessor mental capabilities" have taken the fall for things because they simply believed the detectives about all this nonsense.

Here's the thing

[hrieke]

No company like to hear that the 'Emperor Has No Clothes', which is what I named this syndrome.

I've had friend fired from high paying jobs for doing the same thing inside of the company that they were working for at the time. You just don't point these things out by yourself.

Yeah, it's fucked but that's how they think and work.

Not all bad...

[TheFlu]

Now if we can just get all the crackers of the world to start phoning the System Administrators of the systems they crack, we'd be all set!

Re:Similar experience, but with a happy ending.

[GlassUser]

Wanna hear something even worse? At a small ISP I used to work at, they had some ass of a lady doing server configs who left backdoors all over the place. One guy hosting in Virginia got spammed from out of my ISP's users. He telnetted to our mail server to see if it was a system he knew, if you could get anon access to it, etc. Anon login didn't work, so he was going to exit. He fat-fingered the telnet control command, and was still on the host when he typed "exit". The prompt then read "password>" and by reflex he typed "exit" again. It then gave him a root prompt. He called up and got me, told me what he did, and said I should fix it. You should have seen the owner's face when he heard about it. Oddly, though, his reaction was to beat the crap out of our server operator, not sue the guy that told us about the hole.

Title 18 Section 1030

[vulg4r_m0nk]

For anyone interested in reading the law under which the prosecutor is planning to charge this guy, it is here

If the details of the story are correct, there's no way the DOJ can win this case, as all of the provisions under the law have to with intent to defraud or demonstrable harm having occurred. But, as others have pointed out, the details are little sketchy.

Re:This will be thrown out

[multicsfan]

But the computer wasn't protected, that's what he was reporting to them. That's what caused his initial confusion. If the site had been protected he would not be in this mess.

I'm sorry.. but the analogy isn't quite accurate.

[mindstrm]

It's just NOT the same thing.
Should I modify your computer? Heck no.... I shoudln't, you are absolutely correct about that.
However, simply trying to connect to \\blahblah\c and having it work is hardly 'breaking in'.

No, I woudln't break into someone's house just for fun. But, let's say I was walking down the street, and I saw a shopkeeper locking up for hte night, but noticed he didn't shut the door. I'm going to be a GOOD citizen, walk over, see if it's just my imagination, or if the door is actually open, and if it IS open, I'm going to go TELL hima bout it. I don't expect to be prosecuted for breaking and entering or trespassing; I expect to be told 'thank you'.

Intent is almost everything in court

[gad_zuki!]

Obviously, the more the government wants to crack down on "hackers" the more protections people who spot security holes and such need. This reminds me of First Aid protection people get, in an emergency you can apply first aid and you cannot be sued for screwing it up.

It would be nice if someone wrote up a bill giving those who report flaws the same protections.

Re:What West should do

[mikethegeek]

I completely agree with you. Back in the barbaric regions of Eastern Kentucky, where I lived all my life until recently (relocated to Raleigh, NC), prosecutors and courts do a similar thing...

Anyone who knows East Ky, knows that most of the state's "real" cash crop (pot) is grown there. Which means the courts are a revolving door of minor drug offenders. To keep up the facade that they are "winning" the "drug war", a corrupt system exists, a collusion between judge, prosecutor, and public defender. They basically arrest someone, throw them in jail, hold them there for 15, 30, 60, 90, whatever days, give them a hearing and let them go on "time served" if they plead guilty to whatever manufactured charge that is presented... 90%+ of people get this treatment, and accept the offer (who wouldn't, after all, you are being offered freedom).

Few cases actually GET prosecuted (ie, a trial), but all those "plea bargains" count as "sucessful prosecutions" and makes the corrupt judge and prosecutors look good. No one ever challenges this system because you can't get a local lawyer to represent you against the judge/prosecutors, and they are always careful to only pick on those who can't AFFORD to get an "outside" lawyer who will provide an adequate defense.

This situation reminds me of the corruption back home, that I've personally witnessed, though this is at a mugh higher level (FBI and federal court) than at the county level. Basically, given that they've already offered to let him off with a slap on the wrist, is PROOF that they can't hope to possibly win the case in a trial, that they want him to sign off as "guilty" to something so that they can declare yet another "victory" against EEVIL hackers.

I hope that West has a good attorney. I'm an EFF member, and would be happy to help contribute whatever I can (not much, unfortunately) to his defense. Cases like this are all the more proof that we techies NEED to form some sort of association. Collectively, we CAN make a difference and defend ourselves as a class by pulling together.

Re:This is a standard FBI tactic.

[J'raxis]

Actually, what youre describing has happened to a hacker before, and there was a story on Slashdot a while ago (damn search is busted right now) about it: he got caught by the FBI and went to work for them for quite some time. Finally he decided to talk to a lawyer before doing another job for them, and they turn around and prosecute him then.

'norms'?

[delmoi]

This guy didn't violate any norms of society, although some people think that hey may have violated some laws. Norms are things that most people believe (ie kiddy porn is bad, don't steal, go to highschool, etc.), and laws are specific documents listing actions that you must or must not do according to the government.

He most certanly didn't violate any norms.

Re:An Analogy

[J'raxis]

No, you wouldnt. But I could see the owner of the car possibly having you charged you with attempted theft, or illegal entry.

Federal Agencies Go Hog Wild?

[dabooda]

Here in Australia the reputation of the U.S. FBI is formed solely through movies and television. So you can understand how someone like myself (who lives in Queensland, Australia) has the impression that the FBI like to barge into places and get convictions.

This story has made me think "maybe the FBI are all crazy ..."

"Oh, you think your innocent of the charges? Well, that can be decided in court... welcome to the concept of innocent until proven guilty".

I'm sure that the federal officers involved in this situation were thinking "if this guy didn't really hack, but honestly found this misconfiguration by mistake, his attorney will argue it in court and he'll walk".

FAIR ENOUGH? Simply inditing someone doesn't mean their definately going to jail, but they get inconvienced to the max. $10K to prove you're innocent? More than a year of your life filled with stress, wondering if you are going to spend a few more years under probation or even jail?

I'm sorry, but that is crap. Just because these feds didn't know jack about the situation (I can only conclude that the didn't fully understand the situation as anyone that does understand the problem wouldn't want this guy prosectuted) this good samaritan goes down.

And no, I am not anti-American. Federal law enforcement in Australia isn't too far behind. Prosecution hungry feds like to run amuck here too.

Give me a C.

[Apuleius]

Mea culpa. Me go get coffee now.

Re:The Federal Gov't is now required to do this

[Skapare]

Reminds me of what Germany was like back in '33

Re:This will be thrown out

[multicsfan]

so in other words:

I'm typing say an ftp, telnet, or rsh type command and accidently mistype the destination. The target system has not been 'secured'. The command works. I've now broken the law even though all I did from my standpoint was mistype an address? Maybe I typed .com instead of .net or .org or I was typing an IP address and mistyped a digit, or maybe I mispelled a sitename, like yaho.com instead of yahoo.com.

This seems ridiculus to me. Its like I forget where my car is parked and find the same make, model, color car and my key works on the lock and ignition. Technically I may have stolen the car, but there was no intent on my part.

Ever been in a parking lot and see someone with one of those remote controls open their trunk and see 2 or 3 others nearby also pop up? Are they guilty of something just because their key/fob worked on several cars including their own?

Double Jeopardy

[small_dick]

Ha, this person has never been charged, so he has never gone to court -- let alone had a "not guilty" verdict.

It's pretty hard to have any jeopardy of any kind until those three things happen -- charged, court, not guilty.

The prosecutor is standing in front of a mic, and talking out of his cake hole.

The prosecutor knows two things :

One, computer crime gets in the news. That means he gets his picture in the paper -- great for that DA job he'd like to settle into after a few more years. Bragging rights for his offspring, if nothing else.

Two, they have a weak case, and anything they can do to get the kid to cop a plea lets them mark it down in the books as "solved". Every "solved" case increases funding and gets him a better shot at juicy DA position.

This is all so predictable. Please see my other posts about when to cooperate with law enforcement, and when to stop and shut your mouth!

Quick recap :

1) In America, we have free speech. The police, the detectives, yourself. There are things any of you can say, within bounds, at different points in the process. Without charges, the police can play pretty fast and loose with their statements.

2) One you have been read your rights NEVER speak to anyone about the case without your attorney present!

3) Once charged, you have a right to have an attorney present during questioning, representing you. If you cannot afford one, one will be provided. It's the law.

Help the police, they catch the bad guys. But once they start looking at you, shut up and stay cool -- you are up against trained pros.

Remember, when a lawyer gets charged with a crime, they shut up and get a lawyer! When a police officer gets charged with a crime, same thing! That should tell you volumes about how the system works.

My gut feeling? Our boy here is not being totally honest about his activities. He has an attorney, but he has not been charged. I wonder why? He could be sniffing at a defamation lawsuit, his attorney may be asking questions, requesting records. The FBI, newspaper, and DAs office might be mounting a counterstrike to scare them off.

The more I think about it, I keep wondering : why has this guy hired an attorney, when he hasn't been charged with a crime?

Re:Has common sense become less common?

[Cramer]

Actually, if it ever goes to court, there may be nothing to present. Unless he was aware the phone call was being recorded, the tape is tanted. If there was no search warrant, any materials collected by the FBI at his place of business is also tanted. If the agents didn't identify themselves prior to asking him to show them what he meant, that's entrapment. And of course, if he was never read his rights, ...

While I certainly would agree, on the surface, this looks stupid, we may not have the full story. AND, accidental or intentional, he is almost certainly guilty of "computer tresspass". The "door" analogy is a little flawed... one cannot "see" that a password is not required without actually trying. Look at it more as walking up to knock on a door while blind-folded. Bascially, a locked door looks just like an unlocked door; you have to try to open it to tell one way or the other. And thus, the law is broken (bent, whatever.) Laws that apply to the physical world don't always have an equal in the virtual world.

(The lack of formal charges would suggest nothing will ever come of this stupidity.)

Anonyous good samaritan

[Eric+Green]

Mixmaster anonymous remailer network (sigh). It's a shame that you can do right in the United States only by remaining anonymous.

Randall Schwartz

[Eric+Green]

Perl god. Ex-con, for the crime of making Intel's "security" guys look like morons. The paper he was writing detailing the security flaws in their network was one of the main pieces of evidence used against him in the trial.

God Complex

[pwileyii]

This seems to be a case of the God complex. I have known people who, when their mistakes are brought to there attention by someone, think that the person is targeting them and, thus, they must be brought down. I am guessing this is the type of guy he was dealing with when he mentioned the security flaw.

Seems like a better why of bringing up the security problem is to post it all over IRC and have other people post porn on the website. They'll understand the security flaw and look stupid, just like they should. :)

FBI's no better than other polices

[Ektanoor]

The way the article is written tends me to see it as a genuine story because it is a mirror image of hundreds of such similar stories.

The article shows something very familiar that can be seen among many enforcement and security services around the world. No it is not computer "ignorance". It is using your badge and position to show how important you are and to get some extra premium for "excellent service". You live in some peripherial corner of some megapolis or in some lost land of techocivilization. And you get a case near the edge of the law. So a little bit of grease and things slip to the place where you become sound and famous. And maybe you get a chance to quit this greasy and smoky neighborhood and get a seat in some shiny office at 30th floor.

Here we can see that FBI officers are as human as their colleagues in other places of the world...

Dee Em See Ay

[Frodo]

Sure, oh yes. Site's content is obviously a copyrighted material, and site's defences are to protect this material. Which makes Microsoft a company that produces technology and tools to circumvent the copyright protection. I'm holding my breath to see Ballmer arrested by FBI agents next time he goes out of Microsoft headquarters.

I hope they closed *any* security holes by now

[gotan]

Because any script-kiddy reading that article will probably get a hard-on, hacking in there. And they probably won't give a call in advance or leave their address and office hours with the FBI. Well, if i found a security hole on their site i sure as hell wouldn't inform anyone about it, and surely not them.

I really hope their zero-tolerance-policy blows up in their face and leaves them with the shit they deserve, so they serve as a bad example. With their action they only scare law-abiding folks from reporting security-holes to them, but no crackers who stand on the wrong side of the law anyway.

Re:insightful analogy

[Syberghost]

Is entry through an unlocked door illegal?

Yes. Were you not aware of that?
BTW, good luck to you in the case where the homeowner says his door was locked, and you say it wasn't. The fact that you illegally entered the house will be enough to convince a jury that you picked the lock.

Grand Jury date: September 5

[Fencepost]

For the folks saying that he hasn't been charged, that's true.

However, he has the text of a letter received from the US Attorney for the Eastern District of Oklahoma stating that

[...]
1. The grand jury for the Easter District of Oklahoma is conducting an investigation of possible violations of Federal Criminal Law involving a violation of Title 18, United States Code, Section 1030, and other violations. You are the target of this investigation.
[...]

So, they're presumably slightly beyond the "fishing for an admission" stage. I suspect that having an attorney really would be a good idea for him.

What the hell is the deal with all of these idioti

[delmoi]

What the hell is the deal with all of these idiotic analogies? I mean, come on. What happened is what happened, we should all be able to understand what happened without these preschool metaphors.

Just stop this right now.

Re:Has common sense become less common?

[JCCyC]

Not even that. He knocked on the door to deliver pizza and the door spontaneously opened upon knocking. He made one step forward into the house, looked left, right, up, said "hello-oooo?", went out again, closed the door, went away, and came back next day to notify (and to deliver the stale pizza). Then he was charged with B&E.

Actually, no, it doesn't.

[mindstrm]

If you are flying from say, Heathrow to Mexico City, connecting in Toronto (I made that up), standard practice is that you do not have to go through canadian customs & immigration in Toronto, because you are not actually entering Canada officially; you are simply catching a connecting flight.

On my trip from Amsterdam to Costa Rica, connecting in Newark, they made us collect our luggage, go through customs & immigration, and then hand our luggage back in.

Normally, an airport simply keeps you in a secure area between connecting flights if they are not domestic.

Well..

[mindstrm]

You seem to think I'm whining about Customs & Immigration because it's 'annoying' or something.

Dude, let me tell you. If I'm travelling to the United States, then I fully expect to obey their laws and go through customs & immigration, etc etc.

But when I'm flying to central america, and my flight just happens to connect in Newark, and I'm not told until the last minute that I have to go through US Customs (which is NOT normal for a connecting international flight).. that disturbs me, because I may be carrying things in my baggage that I am not allowed to bring into theUS (But are perfectly legal where I came from and where I am going), or (though it's not the case at this point) I may for some reason not be permitted entry into the US.

And you are just the type who says 'You don't like it in the US? Look at countries with REAL problems'. Yep. Let me tell you.. if the US continues to erode it's people's freedoms as it has been, you will end up the same way.

Responsibility;Contacting PDNS and its advertisers

[billstewart]

If this case is to be prosecuted, it's because the PDNS are asking the police to do so and cooperating with them in the prosecution - it's not like the DMCA cases where a company can make an accusation and the Feds run with it even after the accuser backs off. The paper needs to understand the moral position they're in and do something about it. Among other things, that's a job for letters to the editor that really *are* to the editor...
Their advertisers ought to understand as well. The web page lists a Directory of them. Most of them aren't technical people; it's much better off to do a friendly "Hey, this guy tried to help out the paper you're advertising in and the publisher's gone ballistic and trying to get him jailed" rather than geekish flamage. Most of them don't have email addresses listed - most have snail-mail addresses, and while some have phone numbers, I'd advise against bothering them that way.