Brian West Update

Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.

New laws saying this is "life behind bars" offence

[ZenJabba1]

I wonder if this is the kind of "law breaker" DoJ hopes to lock behind bars for the rest of his life?

Think about it

[Guillaume+Ross]

Does that mean if you tell a competitor's client "I see you use NT" that you will go to jail ?

Re:Think about it

[Carbonate]

Perhaps you didn't read the article. He found the security hole and then proceeded to steal scripts from them. His intention was to rewrite them and then sell them for a profit. What he did is called corporate espionage.

Re:Think about it

[Manaz]

No, it does not, not unless you actually breach (apparently ineffective) security and enter a system you are not allowed to have access to. Just by checking a response that a server will give publically as to which Operating System it is running is NOT breaching security.

If you have actually bothered to read the press release, it clearly states that West actually penetrated a (supposedly) secure service. He found a security hole, and then used it to breach the security on the server. Whether or not he had malicious intentions is irrelevant - I know it's often used, but the following euphemism still holds true: If someone breaks into your house, just to look around, without doing any actual harm, they are still breaking the law. Just because they climbed in through a window that they discovered you hadn't locked doesn't make them any less guilty.

The fact that he didn't seem to have any malicious intent is reflected in the fact that he was charged with (and pleaded guilty to) a misdemeanor. Had he had malicious intent, or done any malicious damage, I'm sure that he would have been charged with an actual crime (there is, to the best of my knowledge, even though IAMAL, a legal difference between a misdemeanor and a crime).

Re:Think about it

[Guillaume+Ross]

Actually I was only whoring for Karma ;)

Re:Think about it

[DJerman]

Does that mean if you tell a competitor's client "I see you use NT" that you will go to jail ?

Not unless you then say "You should use some kind of UNIX instead...", and the person is a terrorist. Then you're "advising or aiding".

Re:Think about it

[Guillaume+Ross]

I think you advised me by telling me how to advise terrorists. Please hold on while the FBI runs after you to keep your priority.

Re:Think about it

[tang]

He didn't have malicious intent? You didn't read the article did you? Just admit it!

Clearly his intent was to.. steal software and sell it as his own...Look at :

"Subsequent investigation revealed that WEST had downloaded the computer files, was in the process of rewriting the files, and intended to market the revised software program." -(From the linked article)

That isn't malicious?

Re:Think about it

[s390]

(there is, to the best of my knowledge, even though IAMAL, a legal difference between a misdemeanor and a crime).

I'll give you a break and mention that the acronym is IANAL (I Am Not A Lawyer). If you _are_ a lawyer, well...

The proper distinction is misdemeanor versus felony - both are "crime" in the sense that people who commit them can be prosecuted, found guilty, etc. However, misdemeanor (literally, mistaken behavior) is much less serious than felony (a heinous act): a misdemeanor usually won't disqualify you from getting a job, depending of course on the nature of the conviction and the job, whereas a felony often makes subsequent employment more problematic, especially in a capacity more responsible than low paid hourly work. And felons are prohibited from owning guns and voting (though in many states they can apply to have their voting rights reinstated after serving their time). Overall though, you _don't_ want to have a felony record.

Many offenses - especially white-collar ones such as this case - can be resolved either as misdemeanors or felonies. Typically, if the situation is marginal, or intent was lacking, and no harm was actually done, etc., the prosecution can be persuaded to offer a plea to a misdemeanor "in the interests of justice" (i.e., this clears the case quickly without requiring an expensive jury trial). That's what happened here - the proverbial slap on the wrist.

This guy committed theft and hoped to profit by it. He's lucky to be getting off with a misdemeanor. If he'd simply reported the hole, he'd be in the clear.

Re:Think about it

[Guillaume+Ross]

What? Face it everyone likes whores !

Re:Think about it

[chickenmilkbomb]

When I was growing up, my parents used to leave a key to the house hidden under a rock in the backyard in case I got home and they weren't there. I know other people that did the same thing. Some people might say this is a common and well known security hole in single family dwellings.

Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?

The existance of a security hole does not make it ok to steal. That's the bottom line. Pick another cause to fight for.

Re:Think about it

[ichimunki]

Not only that, he abused the trust of his fellow hackers (if the article is credible) by lying about his intentions. This doesn't help any of us, since next time we see a case against someone like Dmitry Sklyarov or Randal Schwartz it's going to make it that much harder for those of us who understand the issues (even if only vaguely at times) to trust the accused-- and it certainly doesn't help the general public come to understand or trust the hacker community.

Re:Think about it

[tzanger]

I'm going to generalize a little bit here and take this out of the context of this one hacker.

Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?

I agree: what you have wrote is criminal activity. No worse than B&E, theft (possibly grand theft) and whatever the crime is called for profiting off of criminal activity. There is no need for a special "Urban KeyUnderRock Act" -- we have laws to handle this already. But what about this scenario:

Instead of a home, how about a medical office. Some place of business keeping private information on people. Now if someone found that security hole (key under rock), would it be ok for me to -- after contacting you and giving you ample time (weeks) to correct the problem -- write a detailled pamphlet (sp?), write the newspaper, call in journalists, etc., describing the security hole and how widespread this type of security violation was and how it affects all of the people who go to this medical building? Would you have any right to call the cops on me? To try and have me arrested, sued, fined, incarcerated? Because you either don't want to spend the money to do it right?

My opinion is no. I warned you, showed you how to fix it and scolded you for being so patently stupid and disrespectful of private information and you either threatened me or blew me off. My going public with the information is, in my opinion a public service -- the same type of thing as the whistlebowers and people who risk their lives and personal finances to bring a big bad company to justice.

Let's face it; Most companies think this kind of stuff is only doable by UberHaxors -- therefore it's not worth fixing just because some guy comes up and shows them how it's done. The policies are changing, and that is a good thing. However with Mr. Ashcroft's assinine laws he is leading the way to making true security a thing of the past.

Re:Think about it

[pandaman9000]

Incorrect. I worked at the HelpDesk of G.E. in Appliance Park, Kentucky, their central IT and server location, and different happened for me. I was on a COMMON mapped drive, provided(with FULL read and write permissions) for everyone in buuilding 4(IT), by default. The server was BLDG4USERS1. the pccommon directory is essentially a repository for temporary items from users of the system. Anything can be read or deleted by anyone. In this mapped drive, I found a folder, Jenne, which contained various items. Among these (yes I was on lunch, and had time) were router configurations, switch configs, and even weak encrypted enable passwords. When I approached the person I believe owned the folder (a GE network support person), he didn't seem concerned or alarmed. He did, however thank me. Since we were both in the break area (I know I was on break), I went on to divulge that I had also noticed his social security number in an expense report, apparently pre- filled, to expedite his filing of such reports. This took him by surprise, and he gave me an apparent sincere thanks. I had already approached my immediate supervisor about notifying him, but he had no solution, and no interest in doing so. I did not want to carry this clear up the chain of command, because, as a creative and enthusiastic person, I had made enough waves trying to get a Cisco CCNA/NP lab up and running. I lost my job. I was 'untrustworthy'. There are no hidden facts, i'm not slanting the story, and I can even see how snooping into a personal DRIVE could be real bad. This was a PUBLIC drive. I could've deleted his whole folder....

Re:Think about it

[chickenmilkbomb]

I completely agree with you and I think that your analogy is better than mine. I was talking more about this individual case and computer crime than government regulation. As far as the proposed legislation, you hit the nail on the head. And to tell you the truth, that is much more important than this individual's case.

These mothers should mod you up!

Re:Think about it

[SirGeek]

However.. one part of the analogy you forgot.

In this case the person would have gone into the office and photocopied records, xrays, etc. (confidential information).

I had thought people were over reacting in the calling in of the police/etc. I guess not.

Re:Think about it

[tzanger]

In this case the person would have gone into the office and photocopied records, xrays, etc. (confidential information).

Depends on intent. In this guy's case, definately not cool. In my whistleblower example, proof is often needed.

Intent is everything. :-)

financial gain

It seems that his plight was not as was reported. It says he was trying to profit from the stuff he downloaded. Maybe he wasn't so innocent after all.

This whole thing makes me so mad.

[bl1st3r]

He shouldn't have had to plead guilty to ANY offense. He should have been given a reward by the company for finding a problem that could have easily cost them thousands of dollars if exploited. And this wasn't any complex hole either. Any 5 year old with a browser and Frontpage could have hacked it.

-blister

Re:This whole thing makes me so mad.

[Lonesmurf]

No, he should go to jail as per the law requires. He not only didn't alert the system admin, he downloaded files and changed them, got access to password files and changed them, and distributed both to a friend.

Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.

The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.

Re:This whole thing makes me so mad.

[q-soe]

Any 5 year old can sell crack - its illegal as well.

He didnt just 'hack it' he stole data - thats a computer crime and he pled guilty - end of case.

I was one of those people who said this the last time and got flamed and moderated down for suggesting the guy might not be all he seemed.

Some slashdot readers need to read the information and think about things

Re:This whole thing makes me so mad.

[bl1st3r]

Ahhh.... I somehow missed the point about him trying to make a profit from the re-writing of the scripts. However, isn't that what reverse engineering is all about? It is just easier with PERL because it isn't compiled.

Re:This whole thing makes me so mad.

You have ONLY received one side of the story - the side that's published as a press release by the Department of Justice. It's fairly clear BRIAN KEITH WEST was under duress when he signed this document. There is no reason to believe it is an accurate representation of reality.

Re:This whole thing makes me so mad.

[q-soe]

Lets get this straight - independant forces and overwhelming evidence of what he actually did are everywhere - his fingerprints are all over the server and hes too dumb to delete the passwords and files he stole BUT obviously the police and FBI made him confess under duress ?

What IS the weather like on your planet

Re:This whole thing makes me so mad.

[Jburkholder]

>He should have been given a reward by the company ...

except for the following:

Subsequent investigation revealed that WEST had downloaded the computer files, was in the process of rewriting the files, and intended to market the revised software program.

I was pretty pissed off too about this when the story first surfaced. Little additional details like this one kind of put a different light on it, though.

Re:This whole thing makes me so mad.

[tang]

No. Do not give reverse engineering a bad name. Stealing something is not reverse engineering it.

Re:This whole thing makes me so mad.

Hey, smarty, the things - the ideas- the facts you cite are all the ones in the government's document. You know, the one the government wrote for Mr. West to sign which Mr. west signed to get a reduced charge and avoid a trial he could not afford. Just because the government's document says these things were here does NOT means they were. I don't see a single government document (a pre-written 'confession' so to speak) as overwhelming evidence of anything.

Practical Extraction Report Language hax0r

On or about February 1, 2000, in the Eastern District of Oklahoma, and elsewhere, the defendant, BRIAN KEITH WEST, did intentionally access a protected computer without authorization through the use of an interstate communication, and did thereby obtain information from a protected computer; to wit: the defendant, BRIAN KEITH WEST downloaded proprietary Practical Extraction Report Language scripts and password files from the protected computer.

I like how they used PERL's full name to make it sound important.

Re:Practical Extraction Report Language hax0r

[Zico]

I like how they used PERL's full name to make it sound important.

Yeah man, I can't believe they would go and give the public some extra helpful information like that. Why couldn't they have just left the acronym out and let people stay uninformed? Don't the realize that the ego of the nerd demands that people know as little about computers as possible, so that they can laugh at them and feel better about themselves?

Oh yeah, and on behalf of all those who were moderated down (myself not included, amazingly) in the original story for trying to explain that this guy wasn't a good samaritan, allow me to say, "We told you so." To my brothers and sisters out there, please accept my impending loss of karma points due to this post as a worthy tribute to your earlier efforts.

Ahhh, now I feel better. :)

It all seemed so clear the first time through...

[dmarcov]

I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.

Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.

The worst part of it is:

[Dr.+Smeegee]

... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"

The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.

Sorry cops.

Re:The worst part of it is:

Hold on a second. This is a plea agreement written by the Department of Justice you're reading. This isn't some indisputable accurate representation of reality. It's fairly clear that BRIAN KEITH WEST was in a very bad position and that he was offered to not be placed in jail and only be charge with one count of 'Accessing a Computer without Authorization' if he'd just sign the dotted line. His having signed the document under duress (risk of punishment) does not mean that what the Department of Justice wrote is true.

There's no reason you should be apologizing to the cops. This situation is not convincingly resolved.

Re:The worst part of it is:

[SightlessOne]

Okay i can agree that some officials (cops etc.) may not quite know what they're talking about. I did believe him when this story first came about, and i felt it was wrong because of the idiocy of these aforementioned officials. However, i somehow doubt that the facts presented have been completely fabricated by the DoJ (ie he *HAD* the perl scripts on his computer and was porting it to php).

I'm prolly gonna be smacked around for saying this, but come on people seriously..

Re:The worst part of it is:

[moonboy]

Just to provide a little insight, I was a cop at one time and one of the most important lessons I learned, that still serves me well, is that there are in fact (at least) three sides to every story. One side for each of the parties involved and then the side of truth which is always in the middle.

No one has a monopoly on the truth.

Re:The worst part of it is:

bull. no lawyer in the world would advise you to cop to something you were totally innocent of to avoid a lengthy trial. the only reason he bargained is because they had very good evidence on him on much more serious charges, and they offered him a way to avoid conviction on those charges. that's what a plea bargain is, dumb ass. it says "you know and we know you're guilty. now, we can go through the rigamarole of a trial and throw your ass in jail for a very long time, or you can save yourself from some big lawyers fees, and save the DA some time by copping to these lesser charges."

NO SANE PERSON WHO IS 100% INNOCENT WOULD PLEAD TO A CRIME, GIVING UP THEIR RIGHT TO A TRIAL AND THE OPPORTUNITY TO CLEAR THEIR NAME.

so, either West is innocent and insane, or completely guilty and smart, by taking the easier way out.

Re:The worst part of it is:

[ab315]

> no lawyer in the world would advise you to cop to something you were totally innocent of to avoid a lengthy trial

Yeah right, in your fairy tale world.

Not only do lawyers, especially public-defenders, tell innocent people to take a plea bargain, innocent people even confess under police pressure. DNA evidence has shown many cases of wrongful conviction. Just search for "plea-bargain dna wrongful-convection" on google for plenty of examples. One example here.

Re:The worst part of it is:

[rbeattie]

You're right, I felt REALLY sorry for him! God this news makes me really happy.

Why? Follow me on this: Lately while everyone else is freaked out thinking that terrorists are going to bomb their local mall next, I've been freaked out at how the Republicans are using terrorism as an excuse to push defense spending and hammer of our civil liberties. (Don't fool yourselves, in D.C. it's back to politics as usual.)

Between Dimitry, the Georgia screen saver dude, this guy and the fascism labeled "war on terrorism", I've started to think that our government has lost all balance and that we as a society were doomed.

Now it seems that this guy DID do some things wrong - I don't believe the whole report but to me the downloading of a password file and relogging on was the worst part - and our government isn't COMPLETELY chock-full of jackbooted thugs waiting to take away our liberties and throw us in jail.

It's just one less thing to worry about, and these days, that's cause for celebration.

Re:New laws saying this is "life behind bars" offe

[Lonesmurf]

I was going to mod this down, but I am just going to reply instead. This isn't insightful or interesting, it is WRONG. The new law only applies to .GOV and .MIL websites. The site brian west hacked into was neither. Get your facts straight before you start spouting nonsense.

I can't find the original story on the new DoJ laws because the stupid slashdot search is not working. Someone want to back me up on this or provide a link?

not much pity here.....

[dragonxhero]

some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....

Re:not much pity here.....

Insightful?! Where does it say that he was stealing intellectual property? Please don't tell me it's some lame ass perl back-end handler, I'd be willing to bet that 1/4 of the population that reads slashdot could write one of those. :P

Not exactly a White Knight

[legLess]

From the article, near the bottom:

"This case generated a very substantial amount of e-mailed correspondence to our office and across the world," [United States Attorney Sheldon J.] Sperling said. "The wide range of opinion was instructive. In this case, the defendant rewrote the files he downloaded, planned to distribute his rewrite, added another page to the website, modified the password file, and misled sympathizers and others as to both the character and scope of what he had done."

This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.

Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others were obviously lied to. People wrote letters, donated to the EFF, etc.

It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.

Re:Not exactly a White Knight

[Ptahian]

It's still not clear that what he did should be prosecuted. The things listed in that last paragraph would be consistent with a simple, innocent test to see if the passwords/access worked. And having an intention isn't the same as acting on it (and conspiracy requires >1 party ttbomk).

I still believe the FBI is attempting to parade it's abilities/intentions toward computer crime using this case.

Re:Not exactly a White Knight

I think most of the white-hat/wannabe hacker types think we're here to do good in the world, make money, and have fun, and that the stupid government worries about us because they misunderstand us and fear our power (check out the blurb for a thinkgeek t-shirt).

As such, when someone nominally competent complains that they're innocent, we fall somewhere in between experience and expectation of everyone else's fear of us, and side with the nerd. I think it's a totally natural response on our part (as well as my totally natural response to want to email the DOJ to say I hope they throw the book at him, in part for deceiving all us Good Knights of the Routing Tables).

I don't think this guy should put us on guard too much; we rely as a community on free information flow and starting to mistrust each other will hamper that. The small exceptions (such as this one) where we get egg on our face and have to recover, I think, are worth the continued cohesion of the community. After all, we're smart enough to mentally correct for the few rotten apples to avoid cognitively spoiling the entire barrel, unlike the rest of the world, right?

Re:Not exactly a White Knight

[legLess]

Quoth you:

The things listed in that last paragraph would be consistent with a simple, innocent test to see if the passwords/access worked.

Then at very least he's guilty of extreme stupidity. But that's not the case - his sworn testimony is that he planned to redistribute the code he downloaded and profit from it. That's what makes this a crime.

Re:Not exactly a White Knight

[Telek]

here's the dumb question. Apparently the webhost got spooked when they looked at the logs to see that there was a file downloaded, or did the sysadmin just freak and call the cops anyways?

I.e. if there was reason to believe that this guy had downloaded files or otherwise stolen IP, then I can agree with the search being performed, however if there was no reason to believe this, I think that the cops were being too aggressive to search & cease his property without reason to believe that he had stolen anything.

However if there was logging that he had downloaded stuff, then why the hell didn't he erase the logs? If you have that level of access to something, why wouldn't you erase all your tracks? Seems a little daft to me...

Re:Not exactly a White Knight

[Alsee]

I think that the cops were being too aggressive to search & cease his property without reason to believe that he had stolen anything.

It says he consented to a search of his computer...

Seems a little daft to me

Have to agree with you there :)

Re:Not exactly a White Knight

[Ptahian]

I take it the intent to distribute for profit is what legally makes the download "theft", but I'm still inclined to distrust the FBI. (maybe I'm just arguing).

He must be extremely stupid if he did steal, then inform on himself. But maybe he just had a bit of good karma? Do we need to prosecute every 9 year old who steals a candy bar then returns it?

Re:Not exactly a White Knight

[crazyj]

Who the fuck are you calling reactionary?!

Re:Not exactly a White Knight

[Lars+T.]

Eh? How did you get that from the article? There is no indication to what he testified, only what he pledged guilty to the one charge that he

did intentionally access a protected computer without authorization through the use of an interstate communication, and did thereby obtain information from a protected computer; to wit: the defendant, BRIAN KEITH WEST downloaded proprietary Practical Extraction Report Language scripts and password files from the protected computer.

"Protected" as in "the door was wide open, but there was a lock on it".

And he didn't want to "redistribute the code he downloaded", he analized it and rewrote it in a different programming/scipting language. Which leaves an interesting question: Would there have been a problem with what he did if the PERL scripts had been GPLed? Does the GPL still hold if you rewrite the program in another language?

Noble Intentions?

It is very clear to me that his intentions were not noble and therefore his punishment is just (well as just as they come in today's modern cybrecriminal erra). It is bizarre how one can interpret this as an act of a good faithed hacker. It is strikingly clear that his intentions were to steal the code, rewrite, and redistribute it. Any modern software license, except public domain, forbids this behavior. I guess it is a clear example to the world, not all hackers have good intentions.

It just goes to show..

[DavidBrown]

..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.

This isn't to say that we shouldn't support the EFF.

Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.

The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.

Re:It just goes to show..

[Absynthe]

Admitted to being one I think is a huge key. Right now is not a great time to be an evil hacker in front of a jury. He might have just decided it was best to plea and get what he possibly could. I just can't imagine this newspapers perl scripts or whatever he had as having resale value. Is anybody in that market? It just seems insane to me. Seems like he would have had an easier time hacking apart slashcode to get what he wanted.
On the other hand, he may have done something just like that. I'm just saying these are interesting times. I wouldn't take a confession of guilt to mean that the release put out is the truth, the whole truth and nothing but the truth.

It's all in a name

[ip4noman]

It wouldn't have sounded so important as

Pathetically
Eclectic
Rubbish
Lister

... which any REAL Perl h4xx0r knows that's what it really stands for... ;^)

Re:It's all in a name

[SpaceLifeForm]

pedant-mode
Pathologically Eclectic Rubbish Lister
end-pedant-mode

I'm curious, was it really interstate communication that was used? Seems to me that Uskogee, Oklahoma and Stigler, Oklahoma are really in the same *STATE*, and therefore he could *NOT* have used INTERstate communication to break the law.

USKOGEE, OKLAHOMA - BRIAN KEITH WEST, age 24, of Stigler, Oklahoma, pled guilty today to intentionally accessing and obtaining information from a protected computer without authorization through the use of an interstate communication in violation of Title 18, United States Code, Section 1030(a)(2)(C).

Re:It's all in a name

[binford2k]

Here is an email communication from the editor at PDNS that should answer your question.

you're welcome Mr. Ford...also, the FBI got involved because there were
attempts made from three or four different offices of the company Mr. West
worked for to get into the software...Oklahoma and Arkansas, thus crossing
of state lines...I'm not privy to all the information about this case
because we, here at the newspaper, are not part of the suit...Mr. West is
trying to get as much sympathy as he can, but, he is not telling the whole
story...only the portion that paints him as a "white-hatted hacker".
----- Original Message -----
From: "Ben Ford"
To: "Grover Ford"
Sent: Wednesday, August 22, 2001 1:30 PM
Subject: Re: news

> Grover Ford wrote:
>
> >the newspaper did not file charges against Mr. West...owners of the software
> >that was tampered with and the FBI are pursuing this matter.This is the
> >story that ran back in February 2000
> >
>
> Thank you for the timely answer and clearing up what seemed a rather one
> sided article.
>
> -b

Perhaps this is yet more proof

Law enforcement shouldn't be allowed to enforce laws they don't entirely understand. This is on the same level as someone noticing that you left your car doors unlocked and pointing it out to you.
The goverment, both the people who create the laws, and those that enforce them, really needs to get some common sense, to over ride their panic that something is occuring that they don't quite understand.
This doesn't just rest on the government though, in order for the case to be brought to trial, the company would have had to press charges, which means that a good portion of this rests on them for being poor sports. This would be the equivilant of telling someone they left their fly open and getting stabbed for it. Either the company really had a reason to get this guy or they had an IT staff that didn't want to admit they were wrong, or something.

Re:Perhaps this is yet more proof

[pde]

Good *god*, how long is it going to be before people stop believing this argument? This isn't like someone "noticing that you left your car doors unlocked and pointing it out to you". It's like someone noticing your car doors are unlocked, climbing in, popping the trunk, having a good look around in there, rifling your glove box, stealing the paper you left there with the access code for your home security code on it, and grabbing a copy of the business plan and customer list you had in the back seat.

Re:Perhaps this is yet more proof

[Simon+Garlick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

RTF article.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBO7IE05Wn2pPDur23EQM+XACdGBBdBejGNG7MnTJl gw Hz0JbkX48AoKhM
WEHnec2AclMpxrQzzgwPDagB
=7Wce
-----END PGP SIGNATURE-----

Re:Perhaps this is yet more proof

[mosch]

If you're going to post pgp signed messages, at least post VALID pgp signed messages, you space-wasting geek.

slashbots all have egg on their face

remember when this story broke, slashbots (and their editors/cult leaders) were scrambling to defend this guy and so quick to demonize the government?

Let this be a lesson to you sheep to wait for all the answers before you jump to your tired, old conclusions.

P.S. HAW HAW!! on all of you

why would this idiot steal files and report it?

I can just see the conversation now "Um yeah, I hacked your site and decided to download a few files so I could rewrite them and profit from it" .. "You can just send your thanks for my notice of the flaw, in a monitary form, thankyou"

Not a very bright fella

read the story folks

[evilpimpstar]

This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."

I think you'd be arrested too.

Re:read the story folks

But aren't security holes assumed to be intentional until proven otherwise?

Re:read the story folks

[aozilla]

Nothing is missing. It's more like if you saw a pinball machine which had unlimited free games, played for an hour, and then reported it to the owner.

Re:read the story folks

More accurately, it's like you noticing that someone is writing a book, made copies of the book, changed the names and some of the wording in the book with the intent to sell this 'new' book under your name.

Sure, if the code was licensed under the GPL, he's not guilty of anything. But guess what? It wasn't. So he IS guilty, of plagarism if nothing else.

Re:read the story folks

[Pulzar]

Sure, if the code was licensed under the GPL, he's not guilty of anything.

I'm guessing that when you break into someone's machine and copy software from it -- even if it's GPLed, you'd still be violating the "don't break into computers" law :).

Re:read the story folks

... then told the driver, "Hey, you're back door is open."

I think you'd be arrested too.

Yeah, for crimes against English!

Re:read the story folks

[Milo]

It's more like finding someones wallet, copying down the credit cards numbers, SIN number, etc., selling it and the returning the wallet. I'm pretty sure that if you sell/give away that info, that would be a crime.

Re:read the story folks

[aozilla]

No, the code was never resold to anyone. It would be like finding someone's wallet, copying down the credit card numbers with the intent to defraud, and then returning the wallet. Which isn't illegal unless there were more than 15 numbers. See US Code Section 1029:

Whoever - (3) knowingly and with intent to defraud possesses fifteen or more devices which are counterfeit or unauthorized access devices;

FWIW, Brian West broke that one too, since the passwords are access devices (although if they were encrypted, he only broke it if 15 of them were cracked, I suppose).

Nor should it ever be illegal to possess a number. It's only a number. I give my credit card number to strangers all the time. I haven't yet had something stolen from me, and even if I did I would simply refuse to pay for it. Sure, the reason for that is mainly the law, but I don't have any problem with a law against fraudulently misrepresenting another person to buy on that person's credit. If I go into a bar and say that I'm you and ask them to put it on your tab, you have no responsibility to pay for my bill. If I get caught, I've committed fraud, and if I don't, then the bartender loses that money.

What if someone finds someone's wallet and memorizes the credit card numbers? Should we make that illegal too? I'm sorry, I don't buy this intellectual property bullshit. If you don't want your information being public, don't put it on a public network.

Re:read the story folks

[Fjord]

Sure, if the code was licensed under the GPL, he's not guilty of anything.

No, this is wrong. Only people who have been given the binaries have the right to the source code under the GPL. Putting your code under the GPL doesn't mean anyone can grab the code and binaries, it mean that whoever you distribute your code to has a righ to the binaries and has a right to redistribute. If you have a GPL'ed piece of code among a clique, you can't force the clique to give you the binaries or the code.

Re:read the story folks

[Alsee]

Never underestimate the bandwidth of a 747 filled with CD-ROMs.

Ok, I admit it. I'm a math nut. Your sig caught my fancy and I decided to work it out. All numbers rounded off for convenience.

First I assumed the CD's were in standard CD cases. Volume 97cc (cubic centimeters) assume 10% space consumed by cargo container/wasted space. 107 CC each. A 747 has 750 cubic meters cargo space, or 750,000,000cc. Space for 7,000,000 CD's. 5.2gigabits per CD. 36 million gigabits per flight.
Duration of flight is a critical factor. I decided to stay within the US, but coast to coast. New York to Los Angeles is about a 5 hour flight. I think it's reasonable to add an hour at each end for loading/unloading 7 million CD's, fueling and minor maintenance. That yields 25,000 seconds per flight and a data rate of 1400 gigabits per second. A landline is full duplex where as an airplane is only half duplex. It's only fair to halve the data rate to 700 gigabits per second. That is equal to 16,000 T3 lines. The highest speed connection I can find listed in use is fiber optic OC-255 at 13.2 gigabits per second. The 747 is equal to 53 OC-255 lines. Prices on OC lines are very hard to find. OC-255 looks like around $2 million per month. 53 OC-255's would cost about $100 million per month.
700 gigabps would be a pretty sweet connection, but I don't think Quake would run very smoothly with a 14 hour ping time. :)

Re:read the story folks

[bdrexler]

Nothing is missing. It's more like if you saw a pinball machine which had unlimited free games, played for an hour, and then reported it to the owner.

Actually, it would be more like playing the free pinball, and then saying to some other kid "Hey, if you give me $5.00 I'll let you play this all night." Just my $.02

Re:read the story folks

Actually, it would be more like playing the free pinball, and then saying to some other kid "Hey, if you give me $5.00 I'll let you play this all night."

That would be intending to say that to some other kid, but then getting arrested before you got the chance to actually say it.

And another thing...

[bl1st3r]

Lets apply this to non-computer terms and see what we have:
The defendant, using a security vulnerability known as a Window, was able to look inside INSERTCOMPANYNAMEHERE and read confidential documents taped on the wall. He then told the company about the problem with looking through a Window and the company bought blinds, thereby fixing the hole. However, for noticing the stupidity of INSERTCOMPANYNAMEHERE, the defendant is being served up with a court hearing for misdemeanor charges of looking inside a building through a window without authorization.

Some companies are just stupid.

Re:And another thing...

[Lonesmurf]

no, some posters are just stupid.

lets use your window analogy:

The defendant, using a security vulnerability known as a Window, was able to break inside INSERTCOMPANYNAMEHERE and read and copy confidential documents sitting on a desk. He then gave a copy of the papers to a friend to show him how utterly 1331 he was and then told the company about the problem with breaking through a Window. However, for noticing the stupidity of BRIAN WEST, the prosecution is serving legal papers up within a court hearing for misdemeanor charges of breaking inside a building through a window without authorization.

Re:And another thing...

[bl1st3r]

Chill... :) My intentions were honorable. I was still under the impression at the time of the posting that he was only trying to help out and that any documents obtained from the server were to test what vulnerabilities were present(as was reported in the first article). I somehow missed the part where he was trying to sell the scripts he stole for a profit...

Re:And another thing...

[Moridineas]

Actually it would seem to be more like:

While looking inside a Window, he realized it wasn't locked, opened the window, found some confidential documents laying around, made photocopies of them to keep, showed other people, made a few "adjustments" to the original copies, and then informed the company that they left their window unlocked.

Scott

Perhaps reading the article would be recommended.

[peter_gzowski]

It seems like those posting comments so far haven't read the article.

It seems that West exploited the security flaw to his own benefit before reporting it to the competitors. THAT was why he was charged, and THAT is why he plead guilty.

It also says that he hacked the Potea Daily News website, downloaded some files, then claimed that his intrusion was accidental... Oops, my cat stepped on my keyboard, and it happened to be the correct user name and password!

'Secure' information

How does one know it is a security hole unless they actually download 'secure' information? Does information this easily downloadable meet the definition of 'secure' in the first place?

And, so what that he tried to rewrite it -- At least he didn't plagiarize it ... The script should have been Open Source in the first place! After all, it was only posting stories to a Web site. This is all petty, petty, petty!

Re:'Secure' information

[evilpimpstar]

so by this way of thinking a bank doesn't become "secure" unless you try to steal some money from it, right?

Re:'Secure' information

I wouldn't use a bank that stores bags of my money on the ground outside. And, if someone told them about it, I'd expect an appropriate response.

Nutshell

From the court document(s)...
"This case generated a very substantial amount of e-mailed correspondence to our office and across the world,' Sperling said. "The wide range
of opinion was instructive. In this case, the defendant rewrote the files he downloaded, planned to distribute his rewrite, added another page to
the website, modified the password file, and misled sympathizers and others as to both the character and scope of what he had done."

...now, can we put away the soap boxes, please?

Justice is served in an odd way...

[jensend]

Copying password lists and using them to access data normally forbidden is not ethical in any way, and probably shouldn't be legal. He copied their perl lists via the security hole, which shouldn't be legal either. What he gets charged for is something else. One can, I suppose, complain about the charge- but one really can't say that he did nothing unethical. (BTW, they messed up the perl acronym- it ought to retain its more dignified name of Pathologically Eclectic Rubbish Lister.)

Re:New laws saying this is "life behind bars" offe

[Eigenray]

No, you are wrong.
It applies to "protected computers"

From 18 USC 1030(e):
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;

That's basically any computer on the internet.

this writeup is really pathetic, michael

on sentence. how about retracting all that bullshit you guys made up about this story in the first place

how about an apology now?

you and other editors were stoking the flames all along without much evidence supporting you.

Don't profit from criminal acts

[sting3r]

Isn't it obvious to us computer types by now that trying to profit from shady/unscrupulous/criminal acts will land you in trouble with the legal system? The precedents are overwhelming:

• If I give copies of WinXP to my friends or share them on an ftp site, either a) nothing will happen, or b) my ISP will cut me off. If I try to sell them to strangers, I will go to jail.
• If I discover a security hole and report it to BUGTRAQ, nobody cares. If I try to use it for extortion or try to sell the information, I will go to jail (just like this guy).
• If I run a (arguably) for-profit song-swapping service that deals mostly in copyrighted songs (which I have no license to distribute), I will get sued into oblivion. If I am a Gnutella node, the worst they can do is cancel my @home account.

Crime doesn't pay (much).

-sting3r

Re:Don't profit from criminal acts

If I discover a security hole and report it to BUGTRAQ, nobody cares.

Well, there are still a couple of admins that read BUGTRAQ and apply patches, but to a first approximation you are depressingly right, nobody cares.

Re:It all seemed so clear the first time through..

I agree...the major issue is that he modified the file. If he was just looking around as he said, there was no reason to do that.

I agree that the punishment for such acts arn't fair, they need to take notice of the differences in hacking a local newspaper, and a government network.

It makes no sense to me that you get the same punishment for hacking say, a time keeping computer, as you do for hacking say, a Bank.

interesting...

[espilce]

`"it is important that web sites are secure from unauthorized access and that intellectual property is protected. Cyberspace will be a better place for all if such privacy and property rights are respected," stated Assistant United States Attorney Jeff Gallant.'

Also from the release:

"Using MS Front Page, defendant discovered a common security flaw between MS Front Page and MS Internet Information Server (IIS), the server software being run by
PDNS."

So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user that was clever enough to discover yet another innovative, undocumented feature in the software..

Since the DoJ is obviously committed to making sure "that web sites are secure from unauthorized access and that intellectual property is protected," they'd better throw the FBI at any average citizen that is smart enough to research the (in)security of the software that they use, instead of targeting the company that is more concerned with taking your money than making sure it actually works.

Re:interesting...

Old bug, long since patched. Not new.

Hole not abused by MS. Sounds sexual, but means MS not prosecuted.

Criminals responsible for their own actions. MS didn't make him steal.

If he was so fucking smart (or had any sort of morals) he would have written the fucking scripts himself and wouldn't have resorted to theft. He would have managed better lies too. Don't defend the criminals, please.

Re:interesting...

[dgroskind]

So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user...

West's defense team made this very point in a press release:
From these facts it appears that Microsoft's software may have caused this unfortunate situation to occur. Mr. Sperling or the Federal Bureau of Investigation may be wise to investigate Microsoft as a possible co-defendant or party in this case.

However, West's lawyers failed pursue this line of defense. The obvious reason is that the security flaw wasn't in Microsoft's product but in the way it was deployed by the user. Microsoft provided adequate means of security here and instructions on how to implement it.

In any case, Microsoft had nothing to do with the acts to which West plead guilty.

...instead of targeting the company that is more concerned with taking your money than making sure it actually works.

Until recently Microsoft was the target of a vigorous Federal prosecution. Apparently, politics has impeded the prosecution, but the prosecutors can hardly be faulted.

Re:interesting...

[SComps]

Oh for Chrissakes! I'm no fan of Microsoft but this kind of drivel is just too freaky. Why don't we all just file a really huge class action suit claiming Microsoft is the cause of air pollution because all these people are driving to the stores to buy Windows/Office XP?!? Maybe we could include Staples and Office Max as co defendants! Yeah! That's the ticket! While we're at it maybe we can find some fat sweaty ambulance chaser to cook up a fender bender and go for the personal injury angle!!!

Re:interesting...

[linuxelf]

I am no fan of Microsoft, believe me, but blaming them for this is ludicrous. Microsoft's software didn't cause this situation. Microsoft's software made it possible for an idiot to hack into a website, but it did not cause West to hack in. This type of logic is the same that is employed in showing how, since Phil Zimmerman wrote PGP, and encryption software was used by the terrorists, he caused the WTC to be destroyed.

Re:interesting...

I am a little curious as to why Microsoft isn't liable in situations where their software is found to have security holes. If you can sue companies like Firestone for making defective products, why not Microsoft as well?

Just wondering.

How did the FBI know?

[pbryan]

I'm perplexed how the FBI possibly ascertained exactly that West was rewriting the Perl scripts in PHP to resell as a product, as they indicate as the impetus of their response of search warrant and arrest.

At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.

So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
It seems, on its face, that:

a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or

b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or

c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.

Re:How did the FBI know?

[Jester998]

I think the key to this is that the Perl scripts were *proprietary*, meaning that they were developed solely by and/or for PDNS. That IS intellectual property.

I don't think anyone would mind if the scripts were freely available, but PDNS spent money on them.

From what I understand, the FBI *didn't* know that he was re-writing them in PHP until AFTER they searched his laptop and workstations. Just the fact that he stole proprietary works was enough for them to initiate a search.

Besides that, the guy downloaded and apparantly changed the password list. That is NOT casual poking around to discover the extent of the vulnerability.

Granted, if I discovered a back door, I would probably poke around too, but I wouldn't download or modify any files... if you're not meant to have it, leave it alone; it wouldn't be ethical to do otherwise.

Re:How did the FBI know?

[q-soe]

Answers

A: He boasted about it to the Newspaper editor and several other people (read the info on his case on the web - its in newspaper accounts)
B: they didnt have to - the guys a fool - he left the evidence on his computers and bragged to the people he hacked - who notified the local police who called the FBI
C: Naah - this is what he did wrong - he committed a crime and got caught and charged - why bother keeping definding the little shit ?

The argument over intellectual property is so much crap - they were on a secured password protected section of a server he had no legal access to and also i will point out one belonging to a competitor of his - and he stole them thus commiting theft.

The FBI has jurisdiction on this and the other reason they were called in one suspects is that the brain dead i mean defendant boasted about hacking into a local banks systems (a lie it seems but he saids it on the record in an interview with the nespaper and it was thus reported) and if that bank had Federal Investment Deposit Insurance (FIDC) then any crime committed against it becomes a federal crime and the FBI investigates.

Now are we done defending this guy ? hes a hacker - full stop.

Re:How did the FBI know?

[aozilla]

The argument over intellectual property is so much crap - they were on a secured password protected section of a server he had no legal access to and also i will point out one belonging to a competitor of his - and he stole them thus commiting theft.

• theft - The act or an instance of stealing; larceny
• steal - To take (the property of another) without right or permission
• larceny - The unlawful taking and removing of another's personal property with the intent of permanently depriving the owner; theft.

This was not theft. Copyright infringement perhaps, unlawful computer access definately, but not theft.

Re:How did the FBI know?

[q-soe]

He STOLE the scripts which were the LAWFUL property of the company he hacked into - His intention appears to have been to PERMANENTLY deprive the owner of their customers

And the same laws that cover industrial espionage would cover this as according to the information on hand he was a competitor to the company who he hacked thus this a direct attack on their ability to trade

This is Theft - not to mention the passwords and logons he stole which is also theft

Re:How did the FBI know?

He STOLE the scripts which were the LAWFUL property of the company he hacked into

I disagree. Stealing involves taking which involves the victim losing something.

His intention appears to have been to PERMANENTLY deprive the owner of their customers

So he had intent to steal customers. Still doesn't mean he actually stole anything.

And the same laws that cover industrial espionage would cover this as according to the information on hand he was a competitor to the company who he hacked thus this a direct attack on their ability to trade

I never denied that it was industrial espionage. Only that it was theft.

This is Theft - not to mention the passwords and logons he stole which is also theft

You and I obviously have a different opinion on the definition of theft. Mine would be "The unlawful taking and removing of another's property with the intent of depriving the owner of that property"

Re:How did the FBI know?

[q-soe]

Nope
Not legally

What did the victim lose - ok try prestige, good will (these BTW are measured and worth money to a business)

Its still illegal

Its still theft - the minute he copied the data it was theft. (And industrial espoinage is a criminal offence under US laws and considred theft)

Nahh our opinions on theft are different beacuse i have to spend money and time keeping pieces of work like this out of my systems

Re:How did the FBI know?

[Jace+of+Fuse!]

This was not theft. Copyright infringement perhaps, unlawful computer access definately, but not theft.

You, are very wrong.

"Waa, waa, I can't be wrong, I'm 1337! Information wants to be free! He didn't take anything! It isn't theft! Waa!"

You are very wrong because he did in fact intend to permantly DEPRIVE the owner of something, and did so, in fact.

"Waa, waa, No, he didn't, I'm going to keep whining about how information waaaaaaa wants to be free! *sniffle*"

He's a theif. He stole their "sole possession" of proprietary code. Before he took it, they (and possibly others that they granted use of) were the only persons rightfully in possession of said code.

When he STOLE that sole possession, he devalued it's value to them as a sole possession (no matter how substantially so).

If he had sold it to other people, he would have been STEALING their ability to offer an exclusive service. If he had been USING it for his own gain, he would have been STEALING THEIR HARD WORK for his personal gain, essentially turning the situation into a case where they were unknowingly working for him, without pay.

It's theft. Any arguement to the contrary is bullshit.

Re:How did the FBI know?

[aozilla]

You, are very wrong.

No, you are.

"Waa, waa, I can't be wrong, I'm 1337! Information wants to be free! He didn't take anything! It isn't theft! Waa!"

Well, that was enlightening. If you would like a response as to why you are wrong, feel free to post again without being a dickhead.

It's theft. Any arguement to the contrary is bullshit.

Re:How did the FBI know?

[aozilla]

What did the victim lose - ok try prestige, good will (these BTW are measured and worth money to a business)

WTF prestige or good will did the victim lose? I don't even know who the hell the victim was. Besides, are you saying he "stole" good will? I think that's a ridiculous argument.

Its still illegal

So is going 56 in a 55 mph zone. So is buying something over the internet without paying a tax to your state (in most states). What's your point? My point is that he did nothing which should be illegal, because he did not harm anyone. Even if he did harm someone's prestige, or good will, like you say, he did that only by stating true facts about them. Stating true facts about someone and harming their prestige is not illegal, nor should it be.

Its still theft - the minute he copied the data it was theft.

So I just copied your writeup, was that theft? Was it theft when I copied, or when I pasted?

Nahh our opinions on theft are different beacuse i have to spend money and time keeping pieces of work like this out of my systems

As do I. I'm just not selfish about it. Do lawyers copyright their court arguments? They spend money and time creating those arguments, and they are "stolen" (your words) all the time in other cases referencing them. I don't see lawyers going out of business. Why? Because they are paid for their ability to make new arguments, to adapt to new situations, not to copy and paste things which they've already created. The software industry should be no different. I have no need to be paid over and over again for a program I write. Once is enough, thank you. The time I'd save being able to "steal" (your words) other people's code would more than make up for the money I'd lose because some idiot knows how to copy and paste.

Besides all of that, whether or not this is theft is not an opinion. It is a fact. And my belief as to whether or not what this guy did should be illegal has nothing to do with the fact that is not theft. Those who try to imply that it should be illegal, such as yourself, sometimes claim that it is theft to make it sound a lot worse than it is. Copying is not theft. It's not murder, it's not rape, it's not treason, it's not terrorism. It might be copyright infringement. It might be industrial espionage (in this case it wasn't though).

But hey, if it really is theft, I guess we can get rid of copyright law, since it's redundant. Theft is already illegal, so why bother making it illegal again. (I'll give you a hint, because no jury would convict someone of theft just because they made a copy of something).

Re:How did the FBI know?

Mike runs a lemonade stand.

Suzi learns his secret formula and uses her bigger allowance to open her own stand to compete with Mike.

All the kids flock to Suzi because she is able to buy more materials and get bulk discounts, and thus undersell Mike.

Suzi puts Mike out of business using his secret formula.

She STOLE from Mike. She stole his INFORMATION. she STOLE is PROPRIETORSHIP. She STOLE his CUSTOMERS. She is a theif.

Suzi will go far in the world.

Re:How did the FBI know?

[q-soe]

business goodwill is a valuable thing - this guy is a competitor who went after the company to damage their business.

Dont get childish and compare copying my text to what this genius did - he did not copy anything he stole and modified it, gave passwords away to friends and boasted about it - hell hes the sort of person who probably posts troll posts on slashdot - he committed a crime - he confessed and pled guilty.

You can reference a document but you cannot copy it verbatim - and i used to be IT for a law firm - the way a lawyer does it is to refernce the pleading or case in his statement - thus he is quoting and it is legal.

He didnt 'adapt' anything - he was trying to make money by doing this - thats a for gain action and there goes the white hat argument out the door.

I love how every time this sort of story is posted here they fall back on copyright - yeah sure no jury will do it - thats why companies never ever sue anyone for copyright violation and patent violation.

Did you read this story or only the slashdot stuff ? look at the facts - this guy copied nothing for just copying - he worked for weeks to break into the system and then stole information with the intention of profiting off it.

As Paul Harvey says, Now for the rest of the story

[pgrote]

It's great that the truth according to the prosecuter came out. Anyone with any sense can understand that we he did wasn't noble nor helpful. It was wrong and illegal.

But ... wouldn't you love to know if the paper understood what happened to it? Wouldn't you love to know what happened to their webmaster? Their network administrator?

In the IT world mistakes like this are often glossed over and not taken seriously. One would expect to be fired over something like this, but alas, they are not.

The best example of this is the Code Red and NIMDA fiasco. I can't tell you how many admins should have been terminated for not properly patching their systems. It is amazing.

Only one side of the story

[Ldir]

Remember that this was a press release by the prosecutors. It tells the story they want us to hear, just as Brian West told the story he wanted heard. I wouldn't take either at face value.

Brian did something. He may have done something wrong. He faces a "hacking" trial just as there's a national furor about the evils of the Internet. His guilty plea may be a pragmatic decision - accept a slap on the wrist instead of taking a chance with a judge or jury. Certainly we've seen plenty of examples of clueless judges reaching bad decisions because they don't understand technical issues.

(Or because they're owned by the entertainment industry.)

Re:Only one side of the story

[dragonxhero]

nice point....

butttt.... and perhaps i'm being naive, but i really don't think the procecutor would release information saying "the fbi found x, y, and z" and "he told people he was going to _______" unless it were proven/admitted/'true'....

but props for pointin that out ;)

Re:Only one side of the story

[q-soe]

You have a good point about this but for one simple fact - and this can be found by reading the logs - this guy isn't going to trial because he hung himself out to dry by admitting he had done it, boasting to people (including the editor of the paper) keeping the stolen files and then giving passwords to a friend.

In other words the evidence alone would hang him - the fact that he tends to come across as an arrogant person in his writings and letters, and dont forget he only tried the white hat when caught.

people like this guy think the law doesnt apply to them, they think that computer crime is something no one else will understand and that makes it hard to prove etc, it isnt - trust me i have worked with Australian Federal Police investigators at a previous role (involving an attempted hacking incident at a financial instituion) these guys were very very smart and skilled and 2 of them were ex hackers (1 who had served jail time) they know what they are doing.

This guy has to have committed the most amaterish, pathetic and misguided hack in history and then thought he could use the open source movement to cover himself and the EFF to protect him - he was wrong and this should teach us a lesson.

All is not what it seems in these cases - IMHO there is no such thing as white hat or black hat ONLY hackers - any justification you can try and find wont change the fact that these guys support an ethos surrounded in getting access to things they havent been given.

Hacking is wrong. FULL STOP

Re:Only one side of the story

[Ldir]

In other words the evidence alone would hang him ...,

I'm sorry, but I still think people here are making the same mistake they made with the first article - they are assuming that today's story is complete and truthful. I don't make that assumption.

Yes, if the prosecution's version of the story is accurate, West deserves prosecution. He may well be an arrogant jerk who's trying to hide behind a white hat defense. I just can't reach that conclusion based on a press release from the prosecution.

We haven't seen the facts. We are only seeing the prosecution's representation of the facts. We are seeing their version of the story, their spin on what West did, the "facts" as they intended to present them in order to win the case. Even the guilty plea sounds as it if were written by the prosecution: "defendant agree[d] to the following statement of facts." If this had gone to trial, I'll bet the defense would have presented a much different set of "facts".

Our legal system is good, but it is staffed with fallible human beings who make mistakes, have agendas, and sometimes see what they want to see. People are sometimes wrongly prosecuted. I can't imagine a prosecutor in any case saying, "He didn't do anything wrong, but we're going after him anyway."

A press release is a sales tool, crafted to convince us to "buy" the seller's product. It isn't necessarily the truth.

Re:Only one side of the story

[Alsee]

IMHO there is no such thing as white hat or black hat ONLY hackers...
Hacking is wrong. FULL STOP

False. FULL STOP

Merriam-Webster online dictionary
http://www.m-w.com/cgi-bin/dictionary

Main Entry: hacker
Function: noun
1 : one that hacks
2 : a person who is inexperienced or unskilled at a particular activity
3 : an expert at programming and solving problems with a computer
4 : a person who illegally gains access to and sometimes tampers with information in a computer system

Actually I think many hackers and entomologists would consider that dictionary definition too restrictive. Hacking can be used to refer to exploring, attempting to understand, and/or manipulating any complex system. Social engineering is also a form of hacking. "Social engineering" is not necessarily a negative term either.

Re:New laws saying this is "life behind bars" offe

[XorNand]

Actually, I beleive that it is you that is misinformed. In it's current drat, the ATA would most definately apply in this case:

From Title 18, Sec. 1030 of the US Code:

(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;

...and from the draft of the ATA of 2001:

SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;

(B) in subsection (18), by replacing the period with a semi-colon; and

(C) by adding after subsection (18), two new subsections as follows:

"(19) `protected computer' has the meaning set forth in section 1030; and

"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and

(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:

"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-

"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

"(B) the person acting under color of law is lawfully engaged in an investigation;

"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".

moderation surprise

looks my attempt at illustrating the horrible biasness of the moderation has worked to a T. this post that was just as offtopic and a trollget +5 because it agreed with the slashbot orthodoxy, while this post which is equally offtopic gets -1.

i mean c'mon now..what's the deal?

are there any idiots who believe the moderation system still works??

Re:moderation surprise

Nice experiment!

I am not a moderator so I cannot affect this ...
Hell, I don't even have an account.

But I love the simplicity of the experiment and what it tells me about myself.

Re:moderation surprise

Nope. That's why a lot of us still browse at -1, so we can see things like your post, which btw, should indeed be -1, Offtopic. Not to say I don't agree with you.

The other post, the peacenik one which got +5, insightful, should have also been -1, Offtopic.

Re:evidently

[bl1st3r]

Evidently, you didn't have time to read my two previous replies regarding my mistake. And I DID read the story, I just missed the small paragraph concerning the document theft.

Drop it now?

He is a terrorist

[ksw2]

What this man did was clearly an act of terrorism.

I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".

I recommend mandatory life sentence.

I don't get it..

[mindstrm]

This doesn't put a different spin on events.. it's all interpretation.
I don't knwo what really happened.. but what I recall reading was that:

He HAD access to the site.. he was working on some stuff for them.
He discovered he had access to MUCH MORE than he should have, which he tested by downloading a couple files he shouldn't have.
He told them about it.
They called the Cops/FBI/whatever...
He got arrested.

He *DID* knowingly download something he knew he wasn't supposed to have access to.. so it IS a crime.. however... where did he get the password?

Re:It all seemed so clear the first time through..

[q-soe]

As a corporate IT manager i would like to ask you one question ?

Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?

The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.

When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.

It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.

think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.

Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.

I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.

STRIKE that.

[mindstrm]

I desreve to be modded down. I didn't read the article fully. He deserves what he gets.

Re:STRIKE that.

The article though is only the prosecutor's side of the story.

MOD THIS UP

It's almost unheard-of for a poster on Slashdot to admit a mistake or reconsider his/her point of view.

Re:MOD THIS UP

[bl1st3r]

I am a humble little nerd... :)

Re:MOD THIS UP

No, mod this down! This little karma whore should have READ THE FUCKING ARTICLE before posting.

Spreading of alarming news?

[aralin]

In my country he would most likely get away with what he did, with the computer. Maybe with a monetary punishment, but there is a law about 'spreading alarming news' which I believe he did by trying to present the story in different way to the community and this is a crime that could be charged with several years in prison.

Re:Spreading of alarming news?

Do they cut off tongues or chop off fingers depending on verbal or typewritten method of communication?

What are you talking about?

[S1mon_Jester]

Did I miss something? I didn't see anywhere in the article where he changed the password files.

Yes, he downloaded the Perl scripts. He even downloaded the password files. He shared them and was rewriting them in PHP. (Frankly, I'm surprised he copped a plea.)

Re:What are you talking about?

[S1mon_Jester]

BTW: the article CLEARLY states that he informed PDSA on Feb 2. So he DID tell the admins.

Gray area in confidential info....

[AtomicBomb]

This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.

But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.

What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.

That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...

Help me out here...

[Macrobat]

Some people seem to be saying that, if West had merely poked around searching for security holes (without being asked) and informed the company, that he wouldn't have done something wrong. Is this what I'm hearing?

If it is, how is that different from someone going around testing people's front doors at night, coming upon the sleeping residents, and telling them their door wasn't locked? I think most of us would agree that's criminal behavior. Face it, even if he didn't enter, "testing" the doors on other people's property is trespassing, plain and simple.

Re:It all seemed so clear the first time through..

[DNS-and-BIND]

But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.

php??

[AssFace]

. The files written by defendant were in the PHP computer programming language and the file extensions of those files ended in .inc and .asp. These files were not in the PERL programming language."


so there was an include file, and asp files... can php run with an asp extension?

I personally don't see what the big deal is wihtout knowing what the perl scripts were. I just think it is funny how they are making it out to be this hacker, and the guy was using some of the most basic things -and they aren't really programming languages such as they scripting langs (the perl people are gonna get pissed at me on that one but I don't mean it as flamebait, just as my opinion).

Re:php??

[WildBeast]

well yes php can run with asp extensions if you change the apache configuration file to indicate that files with an asp extension are php files.

Re:php??

[Menelik]

Yes you can run php scripts with a .asp extension.
You just need to tell the web server that the asp extension will be handled with the php engine :-)

Re:php??

[AssFace]

hmmm, curious as to why one would want to do that? I suppose to make it look like you are using asp, when in reality you are using the much faster php. either way I guess....

scum

[ckuhtz]

And I once felt sorry for this guy.

What a piece of scum.

Re:scum

He's a first class bullshitter alright. Hope they give him the max sentence. Maybe some of the "boys" in jail will give it to him where he deserves it.

Re:It all seemed so clear the first time through..

[dmarcov]

Ok -- sorry, I should have been more clear with smiley, 's, or something like that. It was a joke. For the record, nobody should ever have a list of usernames/passwords that don't belong to them and whatever other boilerplate is needed to cover any possible circumstance.

Good Deeds

Remind me to never try and help anyone. I just can't believe these people got the police involved when it was obviously something that could be fixed.

Re:Good Deeds

[keflex]

Read the article, idiot.

Hey people he got what he DESERVED

[t0qer]

I'm just blown away by the fact people actually defend this guy! We all have to start changing our view on security breaches by bringing in real life analogies.

If this guy had gone to the front door of his competing ISP, noticed it was unlocked and then walked in, HE WOULD BE GUILTY OF BREAKING AND ENTERING.

The whole underground movement of "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering" isn't going to cut it anymore in this post terrorism world. He committed a crime plain and simple, doesn't matter if the key was copper or RSA. You are not a good neighbor if you are constantly looking for ways to break into my house. Especially if I don't even know you!!

It's true, people do need to check their firewalls and whatever other security means they have for exploits, but it does not give anyone a license to go willy nilly on the net looking for exploitable systems. If someone has a system infected by nimda and you see their IP coming across your firewall, yes call them. That's OK cause you are not breaking or entering.

--toq

~~~Moderators, note I posted this with my real account. Unlike the karma whoring anonymous cowards I stand behind my opinions.

Re:Hey people he got what he DESERVED

[Atrax]

Surely walking through an unlocked door would be trespass rather then break & enter?

of course, I'm not sure how US law treats this, but I beleieve UK law treats it that way, and I'm fairly sure Australian law is the same (british ex-pat living in aus)

Re:Hey people he got what he DESERVED

[t0qer]

No understand what he did, he was poking around for exploits, and broke the system to gain entry to a part of the system he wasn't supposed to be in. On top of that he was from a competing ISP. His defense is as lame as, "Gee sorry governor, I pulled the gun to see if it was loaded I didn't mean to shoot him"

Breaking and Entering. Open and shut as that. He has a criminal mindset and needs to be rehabilitated.

--toq

Re:Hey people he got what he DESERVED

[I_redwolf]

That analogy isn't good I don't know why people keep using it.

If you own a home.. and you had weapons in your home that were unsecure.. And the invisible men outside keep breaking into other peoples homes and using those weapons to attack people. You happen to be looking in your backyard and see your neighbors window open. Or passing by, or trimming your hedges. What do you do?? You go over there knock on the door and tell him to close the freaking thing in fear that an invisble man will break into his home and steal his weapons to try and come kill your family. That's what you do.

That's a better analogy comparable to the net. I wouldn't apply it to this case but it's just a refute to "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering". It's more like "lets make sure my neighbors doors are closed to make sure they are safe and so am I". Sorta like neighborhood watch.

Re:Hey people he got what he DESERVED

[t0qer]

NO NO AND NO

He purposely was poking around for a exploit, he found the exploit and purposely used it to gain access INTO A PLACE HE WAS CLEARLY NOT SUPPOSED TO BE. On top of that he was from a competing ISP.

How much clearer does it need to be that that? He broke (exploited) and entered(rooted) Nobody asked him to look for exploits on the system. HE DID IT WITHOUT PERMISSION. Consider this guy part of the winds of change. The cracking community needs to realize that working admins are sick of seeing port scans DAILY across their firewalls, and the laws are going to change very soon. For the better IMHO.

--toq

Re:Hey people he got what he DESERVED

[Atrax]

wasn't talkign about west. was talking about the prior poster's analogy.

Re:Hey people he got what he DESERVED

[I_redwolf]

Can you read?

That's a better analogy comparable to the net. I wouldn't apply it to this case but it's just a refute to "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering". It's more like "lets make sure my neighbors doors are closed to make sure they are safe and so am I". Sorta like neighborhood watch.

Oh please spare me with the portscans, the only people annoyed, bothered or scared of them are people with machines that haven't been secure. If you're machine is secure you only have ports that you need open and then ports that you want open. All other ports are closed. If you're scared.. get packet encapsulation..

Re:Hey people he got what he DESERVED

[t0qer]

>>Oh please spare me with the portscans, the only people annoyed,

You're right I am annoyed. I'm the sysadmin, I do my own port scans and exploit searches. I also script in patches on peoples log in scripts, and on top of that do the daily running around fixing problems and doing basic training. Nobody has a right to portscan my network without my authority. I can't count how many little lamer's i've wiped off the net from reporting their asses to their ISP.

Fine, next time i'm in your neighborhood, i'm gonna go from door to door, just to check and see if any doors are open. Then i'll report down to the local jail and let all the criminals know that I_redwolf leave's his door unlocked. On top of that i'll pick up some varient of the crip gang to scrawl tags all over your house, cause you prolly think website defacement isn't a crime either.

It's only a neighborhood watch if everyone get's together and agree's to watch. If I don't know you, if I didn't give you permission to look for exploits in my system, you're guilty of breaking and entering plain and as simple as that.

--toq

~~moderators note* posted with my real account cause I stand behind my opinion's even risking -1 mods, unlike anonymous karma whore's

[OT] Capitalization Madness!

[The+Pim]

Can anyone give me any hint to what started people writing Perl as "PERL"? Ok, it is an acronym (more than one, actually), but every single piece of documentation, and every official reference, says "Perl" for the language (and "perl" for the program). Yet people must have copied it from somewhere, for who would choose to hang on to that tedious shift key longer than absolutely necessary? My only theory is that they were mislead by the practice of writing book titles in all caps, but this would suggest that there is a critical mass of simpletons who have seen the cover of these books but never dared to peek inside.

Now, I even see people write "JAVA", and that's not even an acronym! Though I suppose one might infer that it's Just Another ....

Would those in attendance mind helping me by gently informing the users of this barbarism that "You sound like a freaking ignoramus!"? While I've got you, could you do the same for (stop here if you have a weak stomache and an appreciation for language) virii.

Re:[OT] Capitalization Madness!

JAVA => Just Another Vague Acronym

Re:[OT] Capitalization Madness!

[Pulzar]

Well, this particular document was released by the Department of Justice, and they seem to like writing things in all capitals. Names of companies, individuals, programming languages, FBI special ops teams :) (CART!).. Must be some kind of a lawtype :).

Re:[OT] Capitalization Madness!

[acceleriter]

One of my pet peeves is people and publications (including the venerated Dr. Dobbs) using "Cobol", "Fortran", and "Basic" vs. the correct COBOL (COmmon Business Oriented Lanaguage), FORTRAN (FORmula TRANslator), and BASIC (Beginner's All-purpose Symbolic Instruction Code).

But my friends often tell me I'm pedantic right before they stop inviting me to lunch. And I haven't completely snapped, having not seen "Apl" in print.

Re:[OT] Capitalization Madness!

[scrytch]

> Can anyone give me any hint to what started people writing Perl as "PERL"

The original machine PERL was written on had a four-letter limit on names (not filenames, probably something like package names), and used all caps to boot. Larry Wall wanted to call it Pearl, and any expansions of PERL are backronyms -- it doesn't actually stand for anything. The official name for the language is "Perl", when referring to the interpreter it's perl (lowercase), and spelling it PERL can get you roundly flamed on #perl.

Interstate Commerce?

[e-mike]

in the kellybreed article, it's mentioned in a couple of places that interstate commerce was involved: "Defendant's access to the webpage involved interstate communications." and "... through the use of an interstate communication,".

My question is, does anyone know what this really means? It appears that interested parties were in OK, so it's not like he was connecting to a server in another state. In what way did connecting from his (OK based, right?) ISP to a site across town (hosted in OK, right?) cause interstate commerce issues to come up?

Re:Interstate Commerce?

They had to justify the FBI being there, that's all. No, there's no justification for it since it was NOT interstate in any manner. But, still, they had to justify the FBI being there. So that's why it's in there.

Re:Interstate Commerce?

[YIAAL]

I believe that it's interstate commerce because he used the "facilities of interstate commerce" (e.g., phone lines, etc.), which federal courts generally consider to be interstate commerce even if everything takes place within the same state.

Yeah, I know it's stupid, but I didn't write it. I'm just explaining it.

Re:New laws saying this is "life behind bars" offe

[dragons_flight]

No. He pled guilty under Title 18, Section 1030(a)(2)(C).

Only 1030(a)(1), (4), (5)(A), and (7) are the computer crimes considered terrorism offenses under the draft of ATA (See Sec. 309)

By hacking the computer he gives up the right to any privacy regarding his actions on and communications with the attacked computer (Sec. 106), but then I wouldn't really expect someone to have privacy regarding what they do with a computer they shouldn't be on in the first place.

Jurisdiction

Jurisdiction.

If all parties involved were in the same state, then the state DA would prosecute under state law.

Read the Constitution, and the phrase "interstate commerce" shows up as one of the areas where the Federal government has jurisdiction. So West was charged by a US District Attorney with violating Federal statutes, and went before a US Judge.

If you were going to play baseball, with a large bet involved, would you rather play against the Cucamonga Quakes or the Yankees? You'd probably still lose against the minor league team, but you'd have a better chance of getting lucky.

Maybe the FBI...?

[Scratch-O-Matic]

Hmmm...maybe the FBI really ARE the good guys!

I think this is an excellent opportunity to put things in perspective. The FBI, along with other government agencies, are much maligned on Slashdot. Now, I'm all for civil debate. Wanting to know the facts, and not believing everything you're told, are good things that should be encouraged here in the US. Those principles are espoused here except, it seems, when dealing with law enforcement and intelligence agencies. Remember this case next time you are quick to judge an investigation or trial.

Re:Maybe the FBI...?

[dmarcov]

You are completely right. It is very easily around here (and fancying myself a bit of a civil libertarian) to start thinking of government as the actual root of all evil. Of course that's simply not true. They aren't all good, but they certainly aren't all bad. I hope someone mods ya up for pointing that out.

Jeez

[fizban]

For all those that still want to defend this guy, let me ask you this: "Why did he plead GUILTY?"

If you know you didn't do anything wrong. If you know you are on the right side of the law or are trying to prove that a law is unfounded, you DO NOT plead guilty. You plead innocent until the cows come home.

He knew he was wrong and he knew he wouldn't be able to prove he was just a good samaritan.

And don't tell me he was pleading guilty for a lighter sentence. If you plead guilty at all, then you know you did something wrong. Innocent people do not plead guilty at any time.

Re:Jeez

[BJH]

Wanna bet? There's precedent for prosecutors telling defendants that they'll be looking at a long, drawn-out court case that will leave them unemployable *unless* they sign on the dotted line admitting to a misdemeanor. If you believe otherwise, you're terribly naive.

Re:Jeez

[fizban]

Of course people do this. But they're stupid to do this if they know they were in the right and will win their case.

This guy knew he wasn't in the right and he pleaded guilty. period.

PHP = .asp and .inc?

[kimihia]

Apart from the amusing captilisation of PERL and the painstaking explanation of its acronym, there are some seemingly odd comments in there.

First off, the rewritten files were coded in PHP. But then they mention the files had the extension .inc and .asp. What? ASP = Active Server Pages. PHP = PHP! If he really was writing it in ASP, he certaintly does deserve to plead guilty!

Re:PHP = .asp and .inc?

[Tet]

It really helps because otherwise, the script-code and the HTML just looks the same, and its an unreadable mess.

I think what you're trying to say is that you're using the wrong tool for the job. If your editor can't handle highlighting of PHP, then perhaps you should consider alternatives...

Re:PHP = .asp and .inc?

[dgroskind]

perhaps you should consider alternatives...

May I suggest Vedit? It includes syntax highlighting for many languages but it also allows the user to create custom configuration files for syntax highlighting in any language. These configuration files also permit pattern matching.

Version 6, a major upgrade, is being released in October. I've used Vedit for 20 years, back when it was the only editor available for CP/M.

In those days, of course, there was no such thing as syntax highlighting...but I digress.

Re:PHP = .asp and .inc?

[purplemonkeydan]

Use Web folders, and any other text editor. Personally, I like TextPad (www.textpad.com).

You can access a WebDAV server just like a network share. I believe in XP, you can even map it to a drive letter, but don't quote me on that.

Re:PHP = .asp and .inc?

[ethereal]

Or even worse, train yourself to actually read the code rather than relying on the pretty colors to make it all legible. vi in an xterm is what you need, son :)

Re:PHP = .asp and .inc?

[bdrexler]

Actually, I use Edit Plus (www.editplus.com). Although it does not highlight, it color codes. It also allows any programming language, and you can write your own syntax files and auto-complete templates. Works really well for PHP/HTML and all sorts of related applications.

Let him fry

You all assume that these idiots are innocent, and then they turn out to be criminals. Finding a security hole is one thing, exploiting it is another, and turning the hole in is pure idiocy. Dumbass deserves to be shot.

propaganda

This is **** written by the prosecutor. The guy pleaded guilty because it was the easiest way out. That doesn't mean he did it. Once a prosecutor is on the case, he needs a conviction -- doesn't matter if the guy's innocent. And the press release is just the prosecutor's "proof" that he was right -- if you read it on Slashdot it must be true (ha ha).

Suppose he downloaded a couple of perl scripts from a loser site, too clueless to secure itself. Big deal. How much could that be worth? What's the motive for the "crime"?

Give me a break.

Could reality be...

[stox]

Is it possible that Brian West was confronted with the following:

FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.

Mr. West: Um..Um...Um....OK, where do I sign?

Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.

Re:Could reality be...

Yeah, that's definately more likely than a 24 year old geek breaking the law by taking advantage of a security hole in a web server to download user-ids and passwords.

Re:Could reality be...

[I_redwolf]

Actually the first poster's stuff is probably a bit more likely.

Re:Could reality be...

[ab315]

I basically agree. The fact is he called
the newspaper and told them about the security hole (undisputed, right?), whereas if his intent was purely
criminal he would obviously have kept quiet about it.

Downloading the scripts was stupid but I don't
regard it as a matter for the FBI. As far as I can tell, nobody got hurt. He didn't actually try to sell the script -- if he had tried to do that it would be a different matter. Heck, if
somebody downloaded a cgi-script off my server
by some obvious security hole like directly typing
a url into the cgi directory then I wouldn't
consider the need to bring in Federal Agents and have the guy sent to prison.

I am amazed at the number of people saying that he deserves everything... obviously they have never been wrongly accused of anything. Honestly, some posters sound like they want the guy to go on death row or something.

Re:Could reality be...

i'm an absolute saint. really.

Got some new info

This guy just got rearrested on some other charge more on this later.

Re:Got some new info

Thanks for the update!

That'll learn ya

[Threed]

Wow. Read the first story, then the update... Then go back to the first story... Wow... I guess a gullible nature is the natural result of interacting more with technology than with people.

I think the first mistake was taking the letter at face value, and it didn't help much that it played on a theme that's all too common around here. Add up enough unfounded assumptions and eventually you'll get a pile of hate mail.

One good thing; the DA's office at least got enough mail to notice the geek outcry. We'll call this one a false alarm - any good security system is gonna have false alarms - and hope that the outcry is that much bigger when it's really needed.

Pow?

[shredds]

For a second I was like "thats so cool that batman is a hacker!"...then I remembered thats Adam West, not Brian West.
Oh well.

NEWS FLASH

[nathanst]

If you DON't want something to be public knowledge..... then try not putting it on a PUBLIC network. The Internet for example last time I checked was available to the public.

Re:NEWS FLASH

[trog]

If you DON't want something to be public knowledge..... then try not putting it on a PUBLIC network. The Internet for example last time I checked was available to the public.

If you DON't want your house broken into...then try not living on a PUBLIC street. The world for example last time I checked was available to the public.

You sir, are quite the idiot.

Re:NEWS FLASH

trog equals troll

cute

Re:NEWS FLASH

[nathanst]

Not the same thing at all. A house is not built in some secure area and then moved out to the street for the sole purpose of exposing it's contents. By your same line of thought the passer-by should be guilty of breaking into your home b/c they saw you spanking it on your front porch and then went and called the police. You sir are a pervert ;)

An alternative view.

[jd]

His cracking (NOT hacking) seems to be really little more than stuff skript kiddies do every day to test people's security. If the FBI wants to prosecute them, all they need to is fetch the complete AOL and @Home subscriber lists.

The other part - the attempted profiteering - is another matter altogether. I don't see how it's connected to the cracking at all. It's basic Black Market racketeering of information, and that should be prosecuted as such.

But the cracking? If the original company were competent, they wouldn't have security even an insider could crack. (Dual-key systems, and distributed privilages, are common ways to limit the damage even an administrator can do.)

Probing and scanning a machine (which includes testing passwords) is not a crime in many States. Only actual damage caused. And, to be honest, that arrangement sounds eminently sensible.

What we are beginning to see here is the blaming of the use of the computer, when the computer had nothing to do with it. This is the kind of fuel the Furher needs to pass the anti-terrorist measures.

(Isn't it coincidental that the cracking gets big publicity at the time the bill runs into trouble...)

egads!

[Dr.+Awktagon]

Phillip: I say, Bartholomew, have you finished that smashing Practical Extraction Report Language script for your World Wide Web page in Extensible MACro System?

Bartholomew: Why no Phillip, I have chosen to rewrite it with VIsual editor, and I have used the wonderful Active Server Pages environment on my International Business Machines computer system. Perhaps later I will re-write it in PHP Hypertext Preprocessor.

Phillip: At least it's not FORmula TRANslation or COmmon Business Orientated Language!

Both: Ha ha ha ha ha !

I Don't Care

I don't care what he did or did not do. This is just a lame way for the lame govt to protect lame sysadmins who can't secure lame websites.

Pretty advanced language for a court document

[zaius]

That's the first government document I've ever seen discuss various programming languages like perl and PHP... you don't see court orders talking specifically about perl scripts very often...

Re:Pretty advanced language for a court document

[ethereal]

It's too bad they didn't call it "Pathetically Eclectic Rubbish Lister" or one of its other, less printable acronyms, instead :)

not knowing, I must ask

out of ignorance, so this is a legitimate quest for knowledge of facts.

Was the charges about him warning a competitor and/or its client. Or did he do something like hack in, port scan, etc. Action would logically make the situation different. Noticing a configuration (like looking at your access logs from the browser, etc) and notifying them is one thing.

I just hope that people don't end up ommiting the truth or parts of it, simply to 'strenghten their claim'. Otherwise it makes the situation look very bad indeed. Let the truth tell its own story, don't lie for it please.

Re:It all seemed so clear the first time through..

"It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute."

Possession is not intent. One may possess a recipe for marijuana brownies without the intent to bake any. One may possess a gun without the intent to shoot anyone with it. It is possession _with_ intent that gets you prosecuted. It might get you charged with a crime, but proves nothing as far as if you did anything with the list.

Scenario: Let's say someone is a sysadmin for a company. As such, he has full access to usernames/passwords; he may even keep a hardcopy list of username/password pairs he uses often. Said sysadmin quits, gets laid off, etc. He still possesses the list of usernames/passwords, but doesn't use it, nor does he intend to. It's just in with the rest of his work papers. Is this sysadmin doing anything wrong? Nah. In fact, he might be purposely hanging on to the paper so that later when someone can't find some password and call him, he can answer.

Here's a real world analogy. Let's say a friend gives me a spare key to their house. Later, said friend moves. I now have a key to a house, which I was given by someone authorized to do so, but which I have no right to use. As long as I don't _use_ that key, there's nothing wrong with possessing it.

Just don't jump on someone, assuming there's no justifiable reason to possess such a thing, or grumbling how people who do will be prosecuted. That's just misinformation.

Donated and glad that I did

I'm glad that my $45 helped Mr. Brian West hire an attorney, as he probably wouldn't be able to come up with a 5-figure amount on his own. I'm glad that, using this attorney, he was able to get the punishment fitting his crime - as opposed to some inflated jail term given in order to "set an example".

Finally, I'm glad he wasn't innocent, because there would have been no point helping an innocent man hire an attorney. And should I someday be in BKW's shoes, I hope that somebody does the same for me.

Re:Donated and glad that I did

Why would there have been no point in helping an innocent man hire an attorney? Attorneys don't waive their fees when their clients are acquitted.

Re:Donated and glad that I did

Because that would have been a sad story where an innocent man was forced to pay $15,000 to keep himself out of prison, instead of a happy story where a guilty guy bought his way out of the federal pen. Duh!

Re:It all seemed so clear the first time through..

Said sysadmin quits, gets laid off, etc. He still possesses the list of usernames/passwords, but doesn't use it, nor does he intend to. It's just in with the rest of his work papers. Is this sysadmin doing anything wrong?

Probably. Most employees sign an agreement to return all property of the Company including intellectual property and all copies thereof upon termination. But I know, that's not what you meant :).

Re:It all seemed so clear the first time through..

[QwkHyenA]

Thank you. Exactly.

What this all really sums up to is a hacker who couldn't get to the log files and decided to try and go the "I'm a white hat here to help" route

Then plays us bleeding hearts for suckers...

*QH does impression of lollipop*

And I was one of the first...

Perl spelled out?

[Angst+Badger]

I don't think I've ever seen "Practical Extraction and Report Language" spelled out in the straight press. I wish whomever the writer of the release asked for a definition had told them "Pathetically Eclectic Rubbish Lister". Of course then, they'd probably have just used the acronym.

Re:Perl spelled out?

What makes you think that the writer of the release had to ask anyone for the definition? At least *he* (or she) got it right. With that 31337er than thou attitude you've got going on, one would think that you'd at least have the sense to know that the alternate version uses "Pathologically," not "Pathetically."

Re:Perl spelled out?

[Keith_Beef]

OK, so the text got Perl right, but read this line:

West told the newspaper editor that
his intrusion accidental.

Hmm...

Apart from that, it looks like West was guilty. The Law wants to jail him? Justice wants to reward him? Read the lyrics to Boris Vian's song about a bomb-builder!

Re:It all seemed so clear the first time through..

[q-soe]

this argument is no defence - they were not gifted to the individual he found a way in and stole them - thats the crime - the security of the system is not relevant and in this case the guy spent weeks looking for a way in - hardly easy then is it ?

And what about the re-write thing?

[Atrax]

it's unusual to write .asp files in PHP - why would he be doing that?

a) he mapped the .asp extension to the PHP parser. Unlikely in my view - if he was going to use/sell the scripts later, why wouldn't he write them with the default, most supported extension? far simpler.
b) the investigating agents don't know the difference between PHP and ASP
c) he doesn't know the difference between PHP and ASP

?

I'm assuming he was running on Windows, since he was apparently using FP (pertooey!)

Intellectual property redux

[Kaiwen]

return all property of the Company including intellectual property

When did a username and password become "intellectual property"? What if my usernmane is, say, my first name and M.I., and my password is my birthday? Are my name and birthdate now the intellectual property of my former employer? What if I write them on a piece of paper prefixed with "Techo, Inc. UN/PW"? Now are they intellectual property?

Hmm...

Re:Intellectual property redux

[Kaiwen]

Umm, excuse me -- troll?! A link to goatse.cx is a troll. This was a question! Where're the metamoderators?

I repeat: do companies really consider usernames and passwords "intellectual property"? Under what circumstances, and to what extent? Can my name become someone else's intellectual property?

Re:It all seemed so clear the first time through..

[BlortHorc]

"Possession is not intent. One may possess a recipe for marijuana brownies without the intent to bake any. One may possess a gun without the intent to shoot anyone with it. It is possession _with_ intent that gets you prosecuted. It might get you charged with a crime, but proves nothing as far as if you did anything with the list.

Scenario: Let's say someone is a sysadmin for a company. As such, he has full access to usernames/passwords; he may even keep a hardcopy list of username/password pairs he uses often. Said sysadmin quits, gets laid off, etc. He still possesses the list of usernames/passwords, but doesn't use it, nor does he intend to. It's just in with the rest of his work papers. Is this sysadmin doing anything wrong? Nah. In fact, he might be purposely hanging on to the paper so that later when someone can't find some password and call him, he can answer."

Okay, that one I agree with.

"Here's a real world analogy. Let's say a friend gives me a spare key to their house. Later, said friend moves. I now have a key to a house, which I was given by someone authorized to do so, but which I have no right to use. As long as I don't _use_ that key, there's nothing wrong with possessing it."

Even that might be okay, but to follow this analogy, this guy wasn't given a key by a friend, he found a competitor kept his key under the doormat, made a copy and used it to break into the house and rummage through the competitor's personal files.

Possession of keys you have a valid reason for is one thing, but possession of keys you have no authority to have is always going to look like intent to attempt unauthorised access. I mean, why else would you have them? Particularly if there is evidence you have actively sought them.

The real meaning of slashdot effect

[nochops]

In typical fashion, the majority of the slashdot community has managed to hipocritically come to the rescue of another hacker / cracker / whatever these criminals are being called these days.

Whoever said it before me was right: If it aint pro-linux / ms bashing, and it aint pro-hacker / down with the man, it aint gonna be liked on slashdot.

No matter what GPL /DMCA /hippie /hacker /geek sugar coating you put on this, it's still really simple:

THIS GUY IS A CRIMINAL AND DESERVES TO GO TO JAIL.

He hacked into a website, stole some code he wanted to use, and would have sold the code for profit, if he hadn't been so stupid to get himself caught. Geez, he even helped himself get caught. He tried to play it off like it was an accident, and told on himself to create an alibi.

He's just another criminal. No different than the scumbag who stole your car, or the scumbag who broke into your house.

The Internet is not some magical place where the real world rules don't apply. People have invested countless amounts of money and time into it, and their property deserves the same recognition as anything in the physical world.

I'll say it again for those not listening the first time:

THIS GUY IS A CRIMINAL AND DESERVES TO GO TO JAIL.

Help a fellow Cracker

When is you all slashdoters gonna come to my rescue? I'ma cracker in jail! Jes, because I wanna drink that good ole moonshine, and beat up on negras and sandboogies, don't mean I'm a bad feller. Come on pony up some cash to the EFF so Ise can get outta this here jail! We crackers gotta keep together ifin we's gonna keep running things in this here country!

MOD THIS UP

This AC has really insightfully contributed to this discussion!

I got it too

[SCHecklerX]

Looks like he wasn't so innocent after all, and justice was served.

Now...why do legal people send stuff in microsoft-mangled RTF? They made that 'open' standard to share documents, and then they use it in a nonstandard way. dammit.

Re:It all seemed so clear the first time through..

[q-soe]

Sysadmins who leave a company and keep their passwords and then use them to get into companies have very short careers

Sysadmins who give passwords to friends have even shorter ones

There is an implicit trust and proffesionalism involved in being in control of system security - any admin worth 10cents would never give away passwords - if he did he would never ever get a job in IT again.

And any sysadmin who replaced another and didnt delete his predessors accounts and access and change service passwords deserves the same fate - its good housekeeping and its the first thing i do

Of course, the first time I decide to speak out...

[DeVilla]

After reading about this case for the first time I felt it necessary to write he DOJ lawyer and state my thoughts. It was the first time I ever felt so motivated. It was astounding that he would be arrested for helping a site with poor security, yet absolutely believable given the state of US law concerning computers, the net and IP.

I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.

Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.

Interseting to note

[q-soe]

How easy it is to seperate the Sysadmins and suchlike on here from everyone else (excepting the trolls -- we know what they are)

The sysadmins and pros and suchlike who work in IT agree this guy committed a crime or provide rational arguments as to why he didnt - they can rationally understand it and even maybe support the FBI - they understand what they did, have read the articles and post insightfull comments and thoughtfull questions and maybe even have a laugh.

The other group include those who thing all hackers are cool and that the goverment has no right to keep them out, they throw up any argument no matter how tenuous to defend the actions of Mr West and then even resort to saying he was forced to confess under duress ! then theres the conspiracy theorists and the lame he didnt steal anything of value (which is wrong guys as they law treats theft of data like theft of anything else)

How much time will the actions of someone who is now a confessed criminal who wasnt sophisticated enough to cover his tracks going to get you all in a lather ? Hasnt he had his 15 seconds of fame yet?

Hypothetical situation: possession/intent?

[jswitte]

I read a post further down that stated that possession of a protected (or supposedly protected) password file implies intent (to commit a crime with said list).

Here's a hypothetical situation: What if some malicious company made a webpage that when I connected to it, it downloaded the password file to a cookie on my hard drive. I don't know it's there. Then they come after me, claiming that I hacked into their system. True, I could say that I didn't know how it got there, and if I could get a person to show that their code downloaded the file (which would probably require a subpoena to look at their HTML code), that could make a good defense that I had no intent.

But what if I can't get that kind of help? What if I get a bone-head judge? Could someone be sent to jail for doing nothing more than browsing a web-page? It does seem that this guy was an damn-big idiot at least, and a malicious cracker at most, but it seems like cops are getting overzealous in prosecuting tech "crimes" without understanding what's really going on.

Re:Hypothetical situation: possession/intent?

[dgroskind]

Could someone be sent to jail for doing nothing more than browsing a web-page?

Highly unlikely. The district attorney pointed out a defense in a press release in response to public concern about the case:
A suspect's intent, the amount of loss occasioned by the behavior, and the context of the alleged offense are among many factors that are within the scope of the investigation and weighed in such prosecutorial decisions. Only after all these standards and issues have been considered would the United States Attorney's Office for the Eastern District of Oklahoma prosecute an individual for a criminal offense.

Federal DAs are reluctant to prosecute unless there is a high probability of conviction and a low probability of reversal on appeal.

it seems like cops are getting overzealous in prosecuting tech "crimes"

Mostly one sees complaints about the light sentences hacker receive when the putative damages are in the $billions. These sentences can hardly be an incentive for police to pursue what you call "tech crimes".

Log files of virtually any Web servers will indicate thousands of attempts at hacking. In terms of sheer quantity it must be the most common crime by far. I'd like to see a little more zealousness in pursuing these jerks.

Who wrote a letter?

[tiny69]

OK
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?

I should see more hands that!

For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.

I didn't think so.....

Re:Who wrote a letter?

I see no reason to believe these comments were uncalled for. What we have now is only one side of this story - the government's side. Frankly, the government had a a lot of motivation (due to those letters) to come up with a story which casts Mr. West in a very poor light. But there was no trial and no more evidence has been presented other than Mr. West signing the document the government wrote for him to sign in order to get a reduced charge.

Re:Who wrote a letter?

Well I tried to email them but someone's thing (theirs or mine, probably mine) wasn't working. I also tried calling but got an answering machine
message.

You can read more about it at:

http://www.newsdirectory.com/go/?f=&r=ok&u=www.p dn s.com

There's also an interesting story about Wilma Farino who cans apples and okras and rode a horse to Sunday School. I believe it's accompanied by an ad with a woman in a bathtub with the words "Take a bath with someone you love". Being
from Oklahoma, trust me, this is a little more than racey and, frankly, I'm surprised that something like that would be in the Poteau Daily News.

Maybe he was tired of reading and trying to understand The Daily Oklahoman.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Or, how about this...

You have access to an account through an ISP that you've legitimately paid for, and you find, in your directory one or more files that you didn't put there. You notify the ISP that these files are there, and they acknowledge that the problem has been taken care of-- except that it hasn't. A week later, the files are still there, and even though they're owned by root, they have read access by everyone. What would you do?

Difference between locks and passwords

The persecutors of West and people who are now feeling betrayed by him are overlooking one big difference, which in my opinion should make West innocent, and make Microsoft and the company guilty:
Regular door and car locks do their work by combination of mechanical and legal means. This works because a bad man cannot pick more than one lock at the same time. While he is picking a lock, this may be noticed by neighbors or passerbys, and they would stop him using the force of law.

On the other hand, computer locks (passwords and other security mechanisms) cannot rely upon law to protect whatever they are protecting.
It is possible to automatize the process of breaking computer locks, to pick the locks of 1000 computers at the same time (examples: Code Red and NIMDA), to do the above invisibly without alerting the attention of friendly neighbors.

Therefore, laws against breaking into computers must not be relied upon to stop evil people. Therefore, companies and individuals should rely upon technology alone. Therefore, there should be no laws against hacking per se.

Sorry for using Word ?

Why sorry about Word generated HTML ?
Is pretty good, certainly just as as good or better than output from one of these something2HTML programs.

What I want to know though...

Why did I get this story e-mailed to me from one Sperling, Sheldon?

Re:It all seemed so clear the first time through..

[Alien+Being]

I know nohting about this particular case , but i can tell ythat you are a typical pointy haired, log doesn't matter, type of moron.

The reason for having it could be this, and therefore not be intent to do anything criminal:

The fact that i obtained your password list proves that you are not worthy of holding information belonging to others.

I'd rather have someont break into my house and leave a note that the window was open than the walk into an empty living room. All i would have lost is my illusion of security.

You are a dickehad.

Re:It all seemed so clear the first time through..

You don't need a reason to possess property. Constitution, baby.

Re:It all seemed so clear the first time through..

[q-soe]

I guess im the pointy haired sort of guy you are referring too.

To restate the obvious for those with IQ's lower than their shoe size - You have no right to have passwords and logons to any system you are not explicitly authorised to connect to. - thats simple fact. If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.

These passwords were behind a secure (or thought) secure system - It apparently took mr west several weeks to get into this system so its not like they were in plain sight.

Yes im sure that this would prove that and if you got my password list i would resign from my company - thats proffeisonalism (although as i run a secured netWrk with 2 firewalls and a DMz server between the internet and all of my secured domain servers (with pin security access for remote logon and mail access only at that point - it would be a fucking good hacker (you aint he) who could manage it - and we have paid to have it tested - i would probably hire anyone who could do it in fact !)

Anyone who would break into your house would not leave a note moron, they would rob you blind.

Do you even live in the real world ? why is it not ok to break into someones house but perfectly acceptable to break into their servers ? What are you on about ?

You sir are a moron

And a troll

Get a job in the real world as a sysadmin and see how much sympathy you have for this shit then.

Re:PHP = =.asp and .inc?

[codepunk]

And what if I just to happen to change my httpd.conf to say use php to process .asp extensions? With all of the asp to php conversions going on right now that is a great way to avoid goofing up outside linked sources.

Re:Have you all gone mad?

You're an imbecile. Guess you missed that part where West agreed that the government's version was correct. Let's see, you fall hook line and sinker for West's original fairy tale, even though only one side agreed to his argument. Along comes a version that both sides agree to, and you still desperately cling to West's original version. If you understand how analogies work, then the Jews would've agreed to Brunner's explanation for your little scenario to hold water. Way to blow things out of proportion by bringing the Nazis into it too, dunce.

Re:It all seemed so clear the first time through..

You do if its stolen or someone elses property you have no right or title to have. Reality moron

Re:PHP = =.asp and .inc?

[kimihia]

He's converting it from perl already, so making sure the links are right isn't a problem.

Also good to use would be MultiViews which allows you to skip extensions entirely.

They WERE public.

That was the whole point. It was not a security hole that he looked for or broke into.

If you put a list of your accounts and passwords on your home page, that's a statement saying please log in with one of thse ids for proper access. Perhaps you do that for a licensing purpose: displaying a login banner and acceptable rules.

Until one logs in, they can't know. If you dont want people logging in to your system, dont post login information to the general public. Putting it on the last paragraph of the deepest page on your publicly displayed site is still advertising it to the public. It's like putting a classified ad out when you lose a passport. Everyone doesn't really read it. A rare person will see it, just by being bored or turning to the wrong page. But its still considered public announcement. Its the same as you putting a page open to the public.

Having a bad password/id which is NOT public knowledge not a public announcement. Posting login info IS an invitation though, which should not be criminal.

Re:They WERE public.

[q-soe]

Nope
the statement on a web page about authorised access only means we can suee your ass and charge you with a crime - why do you think its there.

This is the sort of rubbish i keep seeing here - simply put there are some answers for you

1. he did not just find the passwords - he spent weeks looking for a way in however he could and this is the one he got.
2. The names and passwords were not on the home page - they were inside the system and he got them after he got in
3.Where did they post login information ? he didnt hack into the webiste he hacked into the server
4. they were his competiton thus he can be deemed as commiting industrial espionage
5. he copied the passwords and logins and the files and gave them away thus he is guilty of dealing in stolen goods
6. It wasnt a public page
7. He didnt get in thru a bad password
8. Posting login is not an invitation as it says on most (and i am sure this web page ) AUTHORISED USERS ONLY - thus if you dont have the right to be there dont login
9. having got in he told the newpspaper editor he had and boasted about it and about hacking a bank (he lied but thats not the point)

in short hes stupid

This is the sort of weak crap that all the script kiddies use - it was there so i had the right - they all use it right up until the minute the FBI arrests then then they claim the freedom of the EFF and open source etc - trust me these people dont give a fuck about any of this - they are out (as this guy was) for personal gain

HE LOOKED FOR THE HOLE

All of this information is in the various newspaper stories and affadavits and court documents - READ it before you post this lame attempts at justification

ALL HACKING AND CRACKING INTO SYSTEMS IS WRONG - IT COSTS COMPANIES MONEY AND ULITMATELY IT WILL COST YOU FREEDOMS - DONT DEFEND THESE GUYS

Re:They WERE public.

ALL HACKING AND CRACKING INTO SYSTEMS IS WRONG - IT COSTS COMPANIES MONEY AND ULITMATELY IT WILL COST YOU FREEDOMS - DONT DEFEND THESE GUYS

it also gives the lame companies with worthless "security" the hint that maybe, just maybe, they need to look over their security.

of course it was wrong to steal the code, and of course it was wrong to get a login ID.

had the company had decent security, however, they would have looked over their accounts and quickly found his new one.

not all hacking is wrong. hacking gives us better security. i'd rather be hacked and notified, than hacked and not notified and continue to run flawed software.

Re:They WERE public.

[q-soe]

I can understand your point but why would they if people didnt think hacking into them was their right ? if no one went out to hack their systems why would they need to be secure ?

If you extended this argument to homes we would all live in a house surrounded by barbed wire, rottweilers and floodlights with machine guns for point defence.

BTW from the information provided he didnt make a new account he stole exisiting ones.

I still think all hacking is wrong as the white hat argument is trotted out only when they get caught doing something they should not be.

Now if you will excuse me one of the rottwielers is barking and i think another on of those avon ladies is caught up in the barbed wire.

Re:They WERE public.

[Lord+Vipor+Scorpion]

As a corporate IT manager
...
Comment :- Im nobodys stooge - I have a mind of my own

Sorry, but your "I'm the adult here" gambit only proves you're somebody's stooge--you define yourself by your job, your class, and not as an individual. You may have a mind of your own, but all of your arguments are from a corporate viewpoint.

The analogy between a web site & a house is wrong and evil. The differences in use, purpose, structure, and value (real, not new economy) should make this obvious.

Now if you will excuse me one of the rottwielers is barking and i think another on[e] of those avon ladies is caught up in the barbed wire.

Your cutesy exit strategy is the classic "Oh, I made my BS argument, now I'll make a joke and go." You're more Corporate Manager than IT.

Re:They WERE public.

[q-soe]

Hmmm

So let me see - having worked for 10 years and done everything from help desk to field support to sys admin to gain my position i am a stooge ?

And the analogy between a house is obe that is CONSTANTLY used on this site to defend this sort of person - it might be wrong but thats life and it it after all my opinion.

My arguments are not froma corporate viwepoint - my arguments are from years of maintaining secure systems, patching, updating, rebuilding, years of stoneds, melissa's, prelissas, markers, code reds, nimdas and such like, years of repairing damage done when some uber 14 year old manages to find a hole in a web page on a system you didnt set up but has become your responsibiltiy and you have to clean the mess up, years of port scans and DOS attacks on servers and one case of a super cool dood who hacked into a system at a previos employer and then proceeded to destroy it (a company that made glass windows and doors no less - what sort of reason was behind that)

Now i have an instruction for you. i looked back at your past posts and you have posted some very anti corporate diatribes and at least one bad experience - thus YOUR opinions are colored as well.

I have 25 staff under me and they are all great guys, i try and pay them well and look after them and i have turnover of less that 1 person in 2 years - in return i defend them and expect loyalty and hard work thats all - i dont spout corporate ethics - i support systems and see the damage.

Your point may be a little vallid and was fairly well put BUT i have one question for you - What is your proffesion - i suspect programmer rather than admin support - that alone would color opipnions.

Please note im not flaming you here - i respect your opinion and can see how you came to it - im only pointing out why its not the case

Re:They WERE public.

[Lord+Vipor+Scorpion]

I'm anti-corporation because they foster the very polarity that you & I are experiencing (i.e., manager vs. programmer). So you've gained a position beyond programmer, and now you don't think like a programmer anymore. Programming is all about modes of failure. IOW, computers always fail, you just need to know how. That you blame this on script kiddies, crackers, etc. proves you don't understand this. Take the ILOVEYOU virus: Some kid in the Philipines hacks it & it propagates around the world. Is that the kid's fault of Microsoft's? I take it you would blame the kid. I'm not sifting through your old posts, but as for my bad experience: I left a group of consultants that incorporated and became so desperately greedy that they stole information from competitors in much the same way Brian West did, except with more malicious intent & therefore more discretion. This happens a lot, and the FBI _is_ making an example of Brian White--a bad example. Hell, I'm afraid that if my old company gets caught, they would gladly blame me or another young programmer, when it was the marketing bozos who orchestrated the crime.

Now i have an instruction for you.

An instruction! WTF, are you my manager now? The irony is that you don't phrase anything after this that can be construed as an instruction. Looks like you've made it to PHB.

Doormat Analogy

Your doormat analogy fails because the key was not under a doormat or otherwise hidden. A more accurate analogy was while you were in the parking lot going to YOUR car, you notice a car whose door was left open, keys in the ignition.

The ethical thing to do is to (unlock) and close the door. The ethical and helpful thing to do is (if its a 1 store lot) lock the door, take the key out of the ignition, close the door and take the key into the store to an appropriate authority.

Under your analogy, those are both criminal, as would entering a home which was burning to check for injured people. If you KNOW there are victims, you MIGHT (damn lawsuits) be protected by Good Amaritan laws, but if there are no victims (as it turns out) and you exit, under your analogy, your arrested for setting the fire, intending to commit insurance fraud and with the new laws, terrorist/treasonous activity.

Copying Fred Flinstone's rock wheels

[SimHacker]

One reason you might want to do that, is if you've already published URLs with .asp extensions, and you're getting hits on them, but have switched to using php.

But why anyone would waste their time with a half-assed anemic language like PHP when there are real programming languages that are much better like Python, is beyond me. Ignorance, most likely.

Isn't it a shame that he got busted for copying and (EEEEUUUGH:) reading somebody else's Perl code (like licking dingleberries off a moose butt), and trying to rewrite it in PHP? When he could have just installed Zope, which is totally free, and probably already has 5 different ways of doing whatever he needed to do.

It's like stealing the designs for Fred Flinstone's rock wheels, and then trying to copy them by carving dried mud, when he should be using metal and rubber and air instead, and could have just picked up a set of good wheels for free, if he'd only known any better. Sheez, what a maroon.

-Don

So wise and so untrue.

I quit over six months ago. I still get email from their forwarded to a webmail account. Its automatic and was set up before I gave notice. I sent an email in when they got a replacement asking him to remove my account and reminding him that all passwords should be reset if they weren't already.

He said he already removed my account. Obviously, he didn't, since I still get the occaisional forward from that old address. What can I do?

Legally, I can't do a thing.

If I logged in to remove my account properly I'd be guilty of hacking - now a terrorist activity.

If I notified them that their replacement isn't doing what he claimed, I'm liable for slander - since the truth is not an effective defense. I also risk the perception of having hacked - or how else could I know?

If I do nothing, an admin who doesn't have a clue how to admin a *nix box is running things. Obviously he isn't patching the server if he can't figure out how to disable a login. So there's a box which can be exploited by every attack developed in the last six months since I left.

But hey, they hired him. It's not for me to question the wisdom of a previous employer's managerial strategy. That's why I gave notice in the first place :p

Re:So wise and so untrue.

Are you sure your successor didn't see your ~/.forward and copy the address to /etc/aliases before removing your account? That's what I try to do (thankfully name collisions haven't been a problem yet).

Re:The real meaning of slashdot effect

dude, haven't you noticed? we're the new hippies.

pornsites == freelove

But he WAS authorised.

you have no right to have passwords and logons to any system you are not explicitly authorised to connect to.

But he was authorised. The login ID and passwords were publicly posted. Their not being on the front page or "plain sight" as you put it does not change that. A 1" single column story on the bottom of the 29th page of the main section of the NY Times is public knowledge even though it is hardly in "plain sight."

Had he used a brute force password attack to get to the list, sure he's guilty. But he did NOT do that. He read all the stories in the newspaper/website and came across the one about logging in to the system.

If you setup a web server, anything that people can see by typing in random crap like www.poorlysecuredsite.com/0000000000a.htm is public. You made it public. Intentionally or not, releasing trade secret of login info means its not trade secret or private anymore. You made it public, which means you authorised the public to log in, even if you didn't mean to.

You taking a 40 hour a week, 52 week contract job for $500 instead of $500 PER week is your error, not the guy that hires you and holds you to it.

Re:But he WAS authorised.

[q-soe]

Not in plain sight means behind the scenes - LETS GET THIS STRAIGHT

Anyone who has read the details of this story would see that Mr West did not suddenly find this exploit =- he spent weeks looking for it - this negates the argument about random discovery and the in plain sight crap - oh ant the article in the newspaper analogy is total bullshit and a lame attempt to obfuscate the situation - no matter what page of the newspaper it is on it is considered not only in plain sight but in the public domain and is the most irrelvant argument i have ever seen - this information was found by deliberately looking for it and trying until it was found - the guys is a criminal and your attempts to defend him are misguided and franly laughable

He sought the information - he copied it - he distributed it and he boasted about it - he attempted to besmirch the name of a competitor to get business in what i consider the most pathetic attempt at blackmail that i have ever seen - in short he is a loser

End of story

Re:It all seemed so clear the first time through..

The intent and commission of a crime of two different things, though your analysis seems to mistake one for the other.

Re:Of course, the first time I decide to speak out

You sound like a good person. For the record, Brian West may not have been lying. It is a common technique to threaten the accused party in order to get them to agree to a lesser charge. Since the DOJ needed an out with all the publicity, the entire story line of downloaded Perl scripts for profit could have been concocted for this purpose. And West would have signed at the dotted line to avoid the multiple charges and a lengthy trial for which he did not have the funds to fight a government bureau. We may never know. Or Mr. West may choose to make a statement at a future date (when it is safe to do so) which will present another side to this story. The present revelations are based entirely on a government published text. Look to the source to reveal the interests of truth.

Yeah, and also...

[Xtifr]

Not just "virii". Beat up on those people use "boxen" or "unices", when every Right-Thinking Red Blooded English speaking droid knows that the proper plurals are "boxes" and "unixes". People who deliberately (or not) misuse language with humorous intent should be shot! (Or subjected to folk music, if that's not too cruel and inhumane.) Humor is evil, and all humorists are probably terrorists.

And those people who use "on the gripping hand." Gaah! Aren't they aware that humans only have two hands? Those bastards! Take away their credit cards and force them to wear white after Labor Day!

Dumbass...

When I first heard this story, I thought he was a nice guy getting screwed over. Now after reading the "plea agreement", I discover that this guy found the hole, ripped off a bunch of PERL scripts, snarfed the password file, and started rewriting the scripts in PHP so he could a) look like a cool dude releasing some PHP code, b) make some cash...

Either way, he probably never would have gotten caught if he a) hadn't told the editor he'd found a hole, b) hadn't bragged to some moralistic friends about the code he swiped, c) hadn't written comments saying he was rewriting it, d) encrypted everything and used an encrypting file system, e) hadn't consented to a search, forcing the FBI thugs to get a warrant and using the time in between to securely delete the ill-gotten bootie...

Any way you look at it, the guy got caught because he's a dumbass... Case closed - and with the current hard on that the gvmt has for hackers, he's lucky to get a misdemeanor...

Re:New laws saying this is "life behind bars" offe

Yeah, you are a dumb fuck, Lonesmurf.

Kpt. Kirk to the resque

I heard on the news that.
The USS Enterprice is sendt to the coast of Pakistan.

Re:It all seemed so clear the first time through..

[maxpublic]

There was a city I once lived in where local government officials, contrary to public meetings laws, secretly exchanged emails on how they would "block-vote" on certain issues and set their standard responses in advance of actual meetings in order to present a united front to the press and embarrass the minority on the council. They also used this behind-the-scenes and *illegal* way of communicating to plan the firing of staff that didn't see things their way (and in one case, simply because the guy was Hispanic and they didn't like Hispanics).

Weeelll, now. A certain nameless employee caught wind of a rumor of a rumor of a rumor and surreptitiously obtained the admin password list, which just coincidentally gave a person access to all archived email passing back and forth between the councilors. This password list was provided to a semi-savvy press member who downloaded and printed off all of these emails which violated public meetings laws (and in that last case, laws against discrimination). All of this was illegal, of course, but what the councilors were doing was rather a step up - at least in my view. If you're one of Ashcrofts boys then the employee and press member should no doubt be shot.

Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.

Sometimes, just sometimes, there really *are* good guys who hack (or crack, if you're anal about it) systems....

Max

Re:It all seemed so clear the first time through..

[Aceticon]

The whole thing still smells fishy.

Imagine that Brian said to a friend:

"I got this files from the Poteau Daily News and Sun Web site. It's realy bad coded. I'm going to rewrite the whole thing in PHP and see if they will buy it."

This would be enough to get him acused of "intending to derive a financial benefit from the unauthorized access".

Everybody seems to be assuming that "intending to market the revised software program" means that he would sell the new version on the open market. Actually, if he wanted to try and sell the new version only to the Poteau Daily News and Sun he would still be "intending to market the revised software program". A clarification of this is nowhere to be found.

Another suspicious thing is that he actually warned them about the security flaw, just the day after he found it out. Now, assuming he wasn't stupid, there are only two good reasons to do so:

1. He actually had good intentions and wanted to warn them about the security flaw so as to avoid further instrusions.
2. He wanted to blackmail them

If the second case is true, then why:

• Did he explain them the nature of the security flaw ?
• There is no reference to him demanding money from the Poteau Daily News and Sun ?

I would say the waters are still mudded ...

PHP ?

[Gummbah]

"The files written by defendant were in the PHP computer programming language and the file extensions of those files ended in .inc and .asp"

.asp? *rolls over laughing*

What I really want to know ...

[fscking_coward_2001]

is, has PDNS fixed the problem yet?

Re:It all seemed so clear the first time through..

[ihadalittledog]

"But the passwords *were* gifted to the individual."

Does that mean if I don't lock the door to my house, I have "gifted" all of my possessions to my neighbors? If they take my stuff, it's still stealing.

I may have been stupid to leave my door unlocked, but that's another story.

Re:It all seemed so clear the first time through..

[Alsee]

>possesion is Intent

English language is already rich in synonyms. We don't need to erase a useful distinction between words to make another one.

Even if the password list was obtained illegally, that is a separate crime. It does not prove intention to use them.

There are some laws that define possession as intent (possessing a certain quantity of drugs is defined as intent to sell). I believe such laws are flawed. A former friend of mine consumed huge quantities of drugs. To the best of my knowledge he never intended to sell any. Convict him of drug possession or drug use - fine. Convict him of intent to sell and you make a mockery of the legal system.

P.S. I only saw the former friend a few times after he got hooked. He was on everything. He's most likely dead by now.

Each small step is easy to rationaize

[budgenator]

Prisions are full of people who only took one small step. Each one didn't seem so bad, but they all add up. Step A is a little naughty, step B a little more. People generaly don't go from not even a traffic ticket to Bank robbery and Murder is one giant leap.
Look at this guy, he's propable going to go to jail, do a ton of public-service and get put on probation all for stealing some scripts. I wouldn't be surprised if the scripts were freely avialable for download on an other site. Moral of the story is if you get stupid, you'll pay for it.

Re:It all seemed so clear the first time through..

[q-soe]

Whether you believe the law to be flawed is irrelevant - you break it you will be charged - thats the problem with the law - you cant say you dont recognise it and therefore get away with it.

I think possessing the passwords is itself proof of intent to use them in most cases - otherwise why have you got them ?

funny...

[battini]

"It is important that web sites are secure from unauthorized access and that intellectual property
is protected. Cyberspace will be a better place for all if such privacy and property rights are
respected," stated Assistant United States Attorney Jeff Gallant.

a better place if privacy and property rights are respected...hmm, funny the U.S. wants to stick backdoors, and access keys in our crypto technology. privacy? we wont have anything to protect anymore.

when does PHP have .asp extension

"The files written by defendant were in the PHP computer programming language and the file extensions of those files ended in .inc and .asp. These files were not in the PERL programming language."

Yeah I know you CAN change your file extensions, but who would want to glorify ASP anyways?

Re:when does PHP have .asp extension

[I_redwolf]

Someone who wants the PHB and the rest of the goat trodding followers of MS to think that they are fully MS compliant. Whoever it is; smart man.

I liked the part about php scripts ending w/.asp

[budgenator]

Right know I'm not sure what he was doing! Probably doing multiple ports, one to PHP, one to VB. Hints of a serious commercial effort here. I'll bet Law-enforcement don't have a clue even with the code. It still sounds like we being BS'd by the hacker/cracker here; and the Feds are letting it slide because he copped a plea.

Oh in case anyone isn't aware of it, Parole Boards usualy don't even look at what a potential Parolee was convicted of, they look at what he was charged with originaly. So Copping a plea effectively means admitting guilt to all of the charges, not just what you are convicted of. Don't like it, serve all of the sentence, its your choise.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Perhaps reading the article would be recommende

... cat stepped on my keyboard ...

"You" should have used PawSense ( http://www.bitboost.com/pawsense/ )

defendant used GNU software

[mojumbo]

ok, i noticed that in the document they expanded the 'PERL' acronym. what would they write if Brian had used GNU software in some way?

How long did the FBI beat him...

...to make him "confess" to what they claim he did? Kept in confinement for long enough and they'll make you admit to doing anything.

Re:It all seemed so clear the first time through..

BS. All of the above are guilty, excepting the reporter. What the employee did was no doubt in violation of his contract with his place of business. (you know, the standard "thou shalt not hack, crack, steal info, etc." boilerplate) otherwise, why does he need to conceal his identity? The fact that someone else did something wrong does not nullify that contract.

Now, it's unclear who would prosecute the employee if his/her name were known. The employer ostensibly being a city government, would they lodge a civil case against the employee? The FBI would probably not be involved, since it doesn't involve interstate commerce or federal property. If there were a state anti-hacking law in the state in question, the employee could be prosecuted in criminal court under that.

Be that as it may, rest assured that the legal system does not work under a "two wrongs sometime make a right" assumption. Let's say your neighbor is an escaped convict. Does that make it right for you to steal from him, or murder him?

Dealing with the case at hand, what if the person who leaked the info to the reporter didn't work in the IT department for the city government? What if the councilmen used AOL or Hotmail, and the info was snooped and leaked by an AOL or MS employee? Would that be right?

Disagreement from the real world

[drew_kime]

If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.

At my last job, one of the network admins was trying to convince the management that our network procedures were insecure. After several weeks of getting nowhere, he installed some publicly available hacking tools and pointed them at our domain. Without using any of his inside knowledge of the system -- using only the default configuration of the tools -- he got a name/password list of most of the managing partners, the CIO, and the senior network administrator. None of these were passwords he would have had access to with any of his approved access from work.

He brought this list into the next meeting to demonstrate how insecure our system was. The official response was that he must have used his inside knowledge, and that no one from outside the company was that interested in trying to hack our system. This was at a law firm, BTW.

Although in the West case it's pretty clear he was also trying to rip off their site administration scripts, your assertion that mere posession of a password list equals intent to commit a crime doesn't stand up.

Is Critical Thinking Just Not Popular Anymore?

[John+Murdoch]

Yeesh!

There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.

Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.

So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?

Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?

You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.

Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.

Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.

Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?

Re:Is Critical Thinking Just Not Popular Anymore?

[sheldon]

Apparently critical thinking isn't very popular at all.

Your analysis makes a lot of assumptions, the primary one being that what this guy did was harmless and unassuming.

There were quite a number of us at the time who read the original description, and when we got to the part where after he noticed the initial flaw he kept probing downloading files and passwords, etc., thought "Why?"

This guy went too far. It's quite possible he didn't mean any harm, and that's why the prosecutors are being lenient on him.

But he was clearly a clueless numbskull who deserves to get his hand slapped.

You need to lose your preconceived notions of the sexiness of computer crimes, or that law enforcement officers don't understand the issues. That might have been true in the 80's and even ten years ago, but times have changed.

Re:It all seemed so clear the first time through..

[tzanger]

Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.

So... what you're saying is that if you want to be a white hat, you better be a politician or risk incarceration?

Re:It all seemed so clear the first time through..

[Ratteau]

What the employee did was no doubt in violation of his contract with his place of business

Maybe, but no employment contract that I know of covers confidentiality of illegal activity. Whistleblowers are protected by laws to guard against just this sort of thing. If your employer is engaged in illegal activity, you have every right to expose them.

Let's say your neighbor is an escaped convict. Does that make it right for you to steal from him, or murder him?

This is not an analogous example.

Re:It all seemed so clear the first time through..

[joedavis123]

So if you were to leave your house and forget to lock your front door, and I walk by and notice your door unlocked, then all your furniture and computer equipment is gifted to me? Hell, since it was poorly protected, it must be considered public right?

This is an isolated incident...

[pjrc]

... I'm sure everything else slashdot has linked to is still entirely accurate....

Hah.

[szcx]

To the drones who blindly believed his side of the story without looking into it further, I have two words for you; suck it.

Re:It all seemed so clear the first time through..

[poot_rootbeer]

> But the passwords *were* gifted to the
> individual. They were so poorly-protected as to
> be considered public.

No.

That's like someone putting a pie out to cool on their windowsill, and you tresspass onto their backyard and steal the pie.

If they didn't want you to have the pie, they should have kept the window closed and erected a barbed-wire fence around their yard, right?

.ASP??

[Fembot]

how long have php scripts had the extension .ASP is this some new iis feature i am unware of?

That's called allocution

If you ever watch Law and Order, you'd know that in order to plead guilty you have to admit under oath to all the details of the crime.

He may have pleaded out to the misdemeanor charge simply to avoid being convicted of a felony by an ignorant jury, or perhaps just to avoid legal fees, or maybe just to get his computers back. Note that the US Attorney's office is recommending probation.

Re:It all seemed so clear the first time through..

[crazyj]

I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here... ) being that cool that they deserved to be stolen.

Why is it that a small town newspaper's Perl scripts are less valuable than a big newspaper's perl scripts? If I write code for a small company does that my my code or my talent less than that of someone who works for a big company?

Re:New laws saying this is "life behind bars" offe

thats why you keep a batch file handy to erase your hard drive. its easier to reattain your HD than it is serving jail time.

Re:It all seemed so clear the first time through..

[parliboy]

The analogy doesn't hold. In this case the "house" is a location where the very idea is to take things. And it's not as if the owner's of the house put "please don't touch" signs on their favorite set of china. This is more giving your things to the Goodwill and then realizing that your wife accidentally put your favorite jersey in with the load.

A side effect of placing a document online in a publically accessible place is that people can get it. That's the entire point of the Internet, and if a site fails to properly obfuscate something, then it runs the risk of having its material copied. (This isn't the same as saying that the material can be republished freely).

If any publication accidentally prints something, it's free to be read by any. Granted, a drastic error in an advertisment doesn't have to be honored, but that doesn't apply here either.

This doesn't mean that Brian was in the clear, and to me, there should have been other issues of a more civil nature:

Where Brian should have had trouble is not in having the copyrighted source code, but in trying to develop this new version of the software using the old code without using some sort of clean room technique with another coder. To me, there was just a badly botched, half-assed reverse engineering attempt and nothing more.

Re:It all seemed so clear the first time through..

[darkonc]

Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.

In the eyes of the law, cracking is cracking.

In this case it was a government computer. It would only take one instance of a reporter getting a hard life sentance for using computer information to expose criminal politicians. After that, there would be a serious damper on the idea of any sort of press investigation of crooked politicians.

Re:It all seemed so clear the first time through..

[GMFTatsujin]

Yes im sure that this would prove that and if you got my password list i would resign from my company - thats proffeisonalism (although as i run a secured netWrk with 2 firewalls and a DMz server between the internet and all of my secured domain servers (with pin security access for remote logon and mail access only at that point - it would be a fucking good hacker (you aint he) who could manage it - and we have paid to have it tested - i would probably hire anyone who could do it in fact !)

You may be a crackerjack sysadmin, but you'd make a shitty programmer - failure to close nested perens.
Tatsujin

You're still doing it...

[Medievalist]

So you hate yourself because you believed the perp's story, and now you are (equally uncritically) believing the cop's story?
As I read the indictment, there is a lot open to interpretation. There are a lot of claims that the guy "was going to" do bad things [tm] and a very, very slim list of questionable actions that were admittedly taken.
The scientific method enshrines skepticism as a primary virtue. Faith is the domain of religion. Neither Slashdot nor your local police department require or deserve religious devotion.
--Charlie

Re:It all seemed so clear the first time through..

[e40]

Possession IS intent? I don't think so. Possession is proof of theft, not intent to use the passwords. Do you also think my possessing a gun is proof I'm going to rob a bank?

I hope this doesn't have a negative impact...

[thejake316]

...on the next Batman movie. I hear he'll be in it, playing a villian. Did he go to his court appearances in the Batmobile? or is that just on the Simpsons?

Simpsons reference == instant karma, pay up.

Re:It all seemed so clear the first time through..

[dmarcov]

No, not at all. Just perhaps less demanding, in that a design methodology that is acceptable for a smaller/lower volume operation usually isn't as sophisticated as what would be needed by a larger shop. Why pay the big $$$ that I'm sure you charge for your expertise to get a great solution, when you can have "good enough" for less.

Maybe the statement he signed isn't accurate

[Suicyco]

Just being devils advocate here, but perhaps he was so scared and had no good legal backing that he signed the guilty plea to avoid further trouble. This looks like a statement the FBI prepared and asked him to sign, not a confession he himself worded. Perhaps, just perhaps, the FBI did not fully understand what they found but demanded that these are the charges and a guilty plea must be plead according to these charges. Pleading guilty many times is prefferable to pleading innocent and then being found guilty.

Dunno, just a supposition...

Re:It all seemed so clear the first time through..

[ihadalittledog]

Yes, but the password files and perl scripts were not stored in a manner intending to allow them to be world readable - he had to exploit a security flaw to get to the files. If he had gone to the web site and discovered that the files were posted in plain view on their home page, I would agree more with your point.

Re:It all seemed so clear the first time through..

[wallsg]

But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.

If you forget to lock your front door are you gifting whatever a thief decides to take, including any credit card numbers he may happen to find (had to throw that one in there to defuse the bogus argument that it isn't theft unless something is physically taken)?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:It all seemed so clear the first time through..

[Alsee]

you cant say you dont recognise it and therefore get away with it.

I said I disagreed with certain laws. I never claimed immunity from them.

I think possessing the passwords is itself proof of intent to use them in most cases - otherwise why have you got them ?

Your own choice of words "in most cases" proove my point about intent. "Most" is not proof. We cannot (or at least should not) convict someone based on "most". Different people have different motivations and intents.

How about this somewhat different example - Someone hacks root access on a computer. The ONLY thing he does is leave the sysop a message about the security hole and how to fix it. Violation of current law? Yes. If Congress passes the AntiTerrorismAct as currently worded it potentially carries a life sentence without parole.

The laws we apply to a case like this, and every other aspect of our society, is a choice between various options. I belive allowing an AntiTerrorismAct with up to life sentence to apply is a Bad Thing. I belive a treating it as a felony based on Intent is a bad choice which I will oppose. I belive treating it as a misdemeanor is a reasonable choice. I also belive that restricting punishment to cases of harm done is another reasonable choice.