Report Security Problems, Face The Consequences

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

Interesting Tactic

[zpengo]

Competition: "Oh, there is? Really? How does it...? Oh, geez that's really bad. It does that too!? You're joking? Wow, we'll get on that right away." (Hangs up phone and calls police.)

PHB: "Good work, Johnson! That'll show 'em!"

Naked Woman Seeks Sex at Airport

this is not a new thing

[Emugamer]

whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?

Re:this is not a new thing

Even big stupid companies do it!

Whistleblowers take 3Com to court over unsafe kit claim
By: John LeydenPosted: 15/02/2001 at 18:43 GMT

3Com is facing a multi-million dollar lawsuit from former employees claiming it knowingly sold unsafe products and conspired to file false police reports against them when they reported problems with its kit.

Depends..

[dj28]

It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.

Re:Depends..

[GoofyBoy]

Thats pretty sad that the FBI thinks they have a case based on this.

Doesn't his intent count for anything?

If think a ground floor window is unlocked, should I just talk to the homeowner or should I least verify it?

Re:Depends..

[werdna]

The great difficulty derives from the outrageously broad language in the Computer Fraud and Abuse Act and in the Stored Communications Act. Virtually every meaningful access of information to or from a computer without authority can be a basis for screaming crime, with just a few technicalities. Indeed, its nasty even in a civil context.

One incredibly important thing to take away from this communication is that if you are ever actually asked to do any kind of security audit, get a plenary release in writing that ANYTHING you do is authorized. If they don't want to do that, consult a lawyer who knows this area before you even begin to think about doing the gig. -- Its amazing how many accesses become "unauthorized" after the fact, depending upon the interests or politics of the day. Don't let this happen to you.

He's a witch...

[doorbot.com]

...burn him!

Donations...

[hexx]

Do Something About This!

Re:Donations...

[szcx]

I have yet to hear any sane theory as to why Brian would intentionally probe a website

Want to play with Occam's Razor? How about this; Brian works for Cwis, he cracked the website then contacted the Poteau Daily News to "rescue" them from the incompetence of his competitor, Cyberlink.

I'm not saying that's what happened, just that you can't be sure that it's not what happened. People need to find out as much as they can from both sides of the fence before contributing to a "defense fund".

Important lesson

[MeowMeow+Jones]

Talk to the techs.

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Re:Important lesson

[atheos]

It appears to me that he didn't want to inform the security flaw to the competing ISP.
It looks to me like he simply wanted to sway the customers over to his company, and use the security flaw for the reason.
ya ya ya, I'll get modded down for this, but I do think there is more to the story.
He should have contacted the other company, and the FBI should do better things with their time.

Re:Who-hoo! Land of the Free!

[sbeitzel]

This, from the only country that forces you to go through customs & Immigration even to handle a connecting flight.

No, Canada requires it as well.

Not the whole story...

[szcx]

LinuxFreak:

The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

Oklahoman News:

Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

With that in mind, let's not canonize Brian West just yet.

Re:Not the whole story...

I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.

Re:Not the whole story...

[whatnotever]

Read the comments below the linuxfreak article. Brian explains it in a bit more detail. He did use a username/password, but he got it from a file served to the public from their site.

And I think that the "hundreds of attempts" mentioned is just their normal daily load (their advertising claims to reach "over 1000" readers daily, and this is over a year later, right?). And if only *some* were trying to access these files and scripts, why even bother mentioning "hundreds of attempts" - that number is irrelevant!

Basically, he did a bit more than click on "edit," but it sounds like he really did just find the hole and check to be sure.

Re:Not the whole story...

[szcx]

Still, if you can explain to me WHY someone who had just supposedly *malicously* hacked into someones web site would phone the MANAGER of the company immediately to explain what they themselves had just done, then I might consider your opinions as being more than just those of someone who can't think for himself.

You'll note that I didn't say Brian West was lying. I simply said there was more to the story. Relying solely on an article that supports one sides story is not sufficient. But hey, I wouldn't want to suggest that your opinions are those of someone who can't think for himself.

But since you've placed me in the "them" corner, let's look at a motive. How about... for money? The oldest motive in the book. Here's a hypothetical;

Brian West works for Cwis, he cracked the website then contacted the Poteau Daily News in order to "rescue" them from the incompetence of his competitor, Cyberlink.

Don't believe everything you read.

I once did something like this...But won't again!

[tjgrant]

Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.

I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.

They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.

However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

What to do?

[yogensha]

So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

This is a crappy situation.

Re:What to do?

[SCHecklerX]

Sue them for giving your private credit information to everybody in the world.

Or better yet, contact the FBI and let them take care of it, even if a phone call to a competent admin could have fixed the problem.

tragic, but not surprising.

[Anonymous+Admin]

FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?

I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.

Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.

You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.

No good deed goes unpunished

[YIAAL]

This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.

Re:No good deed goes unpunished

[mmol_6453]

It's not likely, but it IS possible that the lack of increase in crime is a result of the increase in budget.

part of the problem is incompetent sysadmin

[Skapare]

My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

Something similiar happened to me

[Kiwi]

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

Something similiar happened to me

[Kiwi]

(Sorry about the blank comment. The new Slashdot code is still really buggy)

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

Well, what did YOU do ?

[aibrahim]

I emailed the DOJ, President, VP, My US Senators and Oklahoma Senators about this case asking them to look into it. Here is the message I sent:

I read about a case regarding Brian K. West in Southeast Oklahoma at:

http://www.linuxfreak.org/post.php/08/17/2001/134. html

If the information contained therein is correct, then there is already a SERIOUS miscarriage of justice going on.

Is it the policy of the United States , the Bush Administration and the Department of Justice to prosecute well intentioned citizens for attempting to help a stranger in an entirely benign manner ?

Would the DOJ prefer that the editor never have been notified about the security issue accessible through routine use of Microsoft software ?

What about the implication for other "good samaritan" acts ? Does the DOJ intend to set a precedent allowing any confused person to prosecute and/or sue anyone who helps them ?

I call on the DOJ to investigate the legal and technical competence of the attorney and law enforcement personnel in this matter.

Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.

Contact Wally Burchett and the Poteau Daily News

[pclinger]

Mr. Wally Burchett has some serious issues, and
the Poteau Daily News has something coming to them if they think they can get away with this.

Everyone should start writing letters, call the editor, etc. From their Web site:

Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953

Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.

Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax

Email:
pdns@pdns.com
publisher@pdns.com

If you write letters, direct them to Mr. Wally Burchett.

As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.

Re:I once did something like this...But won't agai

[snakecoder]

A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.

The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.

What about MS?

[multicsfan]

Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?

Per the fbi afidavit

[WindowsTroll]

he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.

So, going back to the house analogy, he is guilty of going inside and looking around.

The details of the affidavit are from Brian West's own web site, http://www.bkw.org

Re:Has common sense become less common?

[Skapare]

That analogy does not fit. A more correct one would be:

Hi. I came by to visit you at your house yesterday, and when I knocked on the door, it just swung wide open. Did you know you have left it ajar? I yelled to see if you were at home, but you weren't. You know someone might steal the computer you have set up right at the front of the living room there. Well, I closed the door for you. Since I don't have your key I couldn't lock it. You really should try better to keep your door closed and locked, but if not, at least move the computer to your back room so someone less honorable coming along won't walk off with it.

Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.

The way we make laws is a security flaw

[blair1q]

Anyone with a bad idea and enough money can get any nonsense turned into a law.

--Blair
"Democracy is a wonderful thing. I wish we had some."

wierd tactic - details of Title 18 Section 1039

[hillct]

One item not mentioned in the article is the details of Title 18 Section 1030 which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.

--CTH

Re:wierd tactic - details of Title 18 Section 1039

hillct wrote:

The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

Your point about state lines aside, the words "protected computer" jumps out at me. From what I've read, I can only draw the conclusion that the computer is not protected and that, in fact, the suspect in this case was contacting the other company to inform them of this fact. Sounds to me like this FBI team are just looking for something to do to justify their existence.

Re:wierd tactic - details of Title 18 Section 1039

[hillct]

The previous poster (the AC) makes a vary good point. At what level should a computer be considered protected? IS a computer considered protected if there is simply the capability to set a password but none is set, or does there have to be an overt act by the administrator to attempt to protect a computer (like set a password, or read the manual or something).

Along the same lines, could weather or not a computer is protected be established by how difficult it was to gain access? Perhaps the computer could be said to be not ptotected because the guy didn't have to take any special measures to gain access (except click the 'edit' button in FrontPage. This is a legal question and not one I have the answer to.

--CTH

Pick your analogy

[Plasmic]

In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read

ENTER HERE -->

TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?

So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.

We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.

Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.

Re:Donations...( I *do* know him )

[CoreDump]

Actually, I do know Brian on a personal level. I've known him for a few years. I work for a national ISP based in the Chicago area, and have collaborated with him on some projects in the past, so I know who he is, what his convictions are, and he's certainly not guilty of anything malicious in this case. I'm not posting as an AC, so feel free to check me out as well, if you are convinced this a conspriacy to dupe the Slashdot community.

If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.

I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).

If you don't believe in this case, donate to the EFF instead.

Parallel Senarios...

[Pollux]

Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."

Police: "Stay there for a while sir and watch things until we arive."

<I>15 Minutes later...</I>

Passer-by: "I'm glad you made it. I was getting tired and..."

Police: "You're under arrest for theft and breaking and entering."

Yea, that makes a lot of sense.

Re: Has common sense become less common?

[3247]

If you make an anology, you gotta make a correct one:

Hi. I just wanted to let you know that I stopped by your house the other day, and I saw that your front door was standing wide open. The next day it still was wide open. So I went in to see whether there was anything wrong. Everything looked ok except that I found what looked like a key for your safe lying open on the table. Just curious how stupid you really are I tested it and it was really fitting. I think that you have a security problem.

(Note: In real life, thie might constitute trespas. However, there's no such thing as digital trespas. In real life, you'd probably just call the police.)

Entrapment and other issues.

[Restil]

First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.

If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.

Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.

All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.

How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.

This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.

As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?

-Restil

Re:Has common sense become less common?

[Zico]

It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.

How is what he did sensible? He works for company X. On day 1 he finds a misconfigured server run by company Y, his direct competitor. He spends this day poking around two of the sites hosted there, testing out usernames and passwords that he found on at least one of them. Does he tell anyone who could fix the server anything? No. Not until the next day does he let anybody know about it (assuming he didn't share the info with his buddies), and when he does so, does he call the server operators? No, he goes to company Y's customer and tells them. And he doesn't tell their IT department, he tells it to a newspaper editor. He's not some good samaritan, because he never did tell company Y about the problem with their server. He was still showing people the hole 10 days after he found it.

The sensible thing to do, which I've done a few times, is as that the instant he realized that there was a hole in the server, he should've immediately quit playing around with it and immediately called or emailed the customer or company Y. That is, if he really wanted to wanted to be a good samaritan. If he didn't want to be a good samaritan, that's fine, he doesn't have to call, but you don't sit there poking around the hole after you realize that it's there.

Wrong Lesson

[fm6]

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.

Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.

Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.

Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.

The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.

So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.

Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.

I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.

Don't trust the Oklahoman - HORRIBLE REPORTING

[lonesome+phreak]

I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.

He has not been charged!

[small_dick]

Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.

Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.

They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.

They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.

If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.

There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.

So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".

As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"

He recommended that I call the Detective and state:

"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".

Total cost for a real attorney : $0.00

I was never arrested, charged or contacted again!

Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.

Re:He has not been charged!

[small_dick]

IANAL either, but I believe it's actually protected free speech.

The detective was pushy with me, insistent. Remember, I was not charged, arrested or mirandized. More or less, it's consenual communication. I had little experience with the law prior to this incident, other than things like tickets.

It's been decided by the supreme court that the police are not bound to tell you the truth during an interview. There are bounds, but they can say odd things like "What if I tell you I have an eyewitness? Will that help you make the right decision?" (BTW, the detective used this exact line on me!) Note that he did not claim to actually have an eyewitness.

Now that I look back on the whole thing, I have to say these people are pros. They have guidelines, and they know exactly what they are saying and doing. They have years of experience and training in getting convictions, in any way possible.

Another tactic was telling me that "The truth, your guilt or innocence, does not pay my salary. Convictions do. I can convict you -- I've been convicting people for 15 years, and I've never lost sleep over it. I'm one of the best. I hate to see you make a decision to go to trial and ruin your life. Do the right thing and take the lessor charge."

Probably the thing that hurt me most, and I know now it was all an act, was when he recounted a horrible murder that occurred some years earlier. Everyone in the city knew the details, the rape and murder. This detective claimed to have busted the guy, and he gave me a horrible look and said "You're just like him, aren't you? I know criminals, and when I look at you I see a monster. I'm going to keep coming after you, and I won't stop -- ever". Well, for someone like me, I almost started crying, as ashamed as I am now to say that. The bright lights, the investigation room, the two of us alone, eye-to-eye across the table. The big police banner above his head on the wall -- everything made him look correct and invincible.

Another reason it's not harrassment is that he did not call again once I asked him to stop. My dad's lawyer made that clear -- that I should not be asked any more questions or called again until charged.

Hope this helps people understand what they might have to face someday -- always help the law, but don't hurt yourself in the process. When you sense that the line has been crossed -- that they are considering you a suspect -- stop talking!

I hate to think how many "people of lessor mental capabilities" have taken the fall for things because they simply believed the detectives about all this nonsense.

Re:Has common sense become less common?

[Cramer]

Actually, if it ever goes to court, there may be nothing to present. Unless he was aware the phone call was being recorded, the tape is tanted. If there was no search warrant, any materials collected by the FBI at his place of business is also tanted. If the agents didn't identify themselves prior to asking him to show them what he meant, that's entrapment. And of course, if he was never read his rights, ...

While I certainly would agree, on the surface, this looks stupid, we may not have the full story. AND, accidental or intentional, he is almost certainly guilty of "computer tresspass". The "door" analogy is a little flawed... one cannot "see" that a password is not required without actually trying. Look at it more as walking up to knock on a door while blind-folded. Bascially, a locked door looks just like an unlocked door; you have to try to open it to tell one way or the other. And thus, the law is broken (bent, whatever.) Laws that apply to the physical world don't always have an equal in the virtual world.

(The lack of formal charges would suggest nothing will ever come of this stupidity.)