Slashdot Mirror
Brian West Update
Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....
..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.
This isn't to say that we shouldn't support the EFF.
Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.
The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.
144l. ph34r my 133t l3g4l 5k1lz!
This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."
I think you'd be arrested too.
you reap what you sow
Any 5 year old can sell crack - its illegal as well.
He didnt just 'hack it' he stole data - thats a computer crime and he pled guilty - end of case.
I was one of those people who said this the last time and got flamed and moderated down for suggesting the guy might not be all he seemed.
Some slashdot readers need to read the information and think about things
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
so by this way of thinking a bank doesn't become "secure" unless you try to steal some money from it, right?
you reap what you sow
no, some posters are just stupid.
lets use your window analogy:
The defendant, using a security vulnerability known as a Window, was able to break inside INSERTCOMPANYNAMEHERE and read and copy confidential documents sitting on a desk. He then gave a copy of the papers to a friend to show him how utterly 1331 he was and then told the company about the problem with breaking through a Window. However, for noticing the stupidity of BRIAN WEST, the prosecution is serving legal papers up within a court hearing for misdemeanor charges of breaking inside a building through a window without authorization.
rJames.org - illustration
I'm perplexed how the FBI possibly ascertained exactly that West was rewriting the Perl scripts in PHP to resell as a product, as they indicate as the impetus of their response of search warrant and arrest.
At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.
So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
It seems, on its face, that:
a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or
b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or
c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.
My car gets 40 rods to the hogshead, and that's the way I likes it!
It's great that the truth according to the prosecuter came out. Anyone with any sense can understand that we he did wasn't noble nor helpful. It was wrong and illegal.
... wouldn't you love to know if the paper understood what happened to it? Wouldn't you love to know what happened to their webmaster? Their network administrator?
But
In the IT world mistakes like this are often glossed over and not taken seriously. One would expect to be fired over something like this, but alas, they are not.
The best example of this is the Code Red and NIMDA fiasco. I can't tell you how many admins should have been terminated for not properly patching their systems. It is amazing.
Good *god*, how long is it going to be before people stop believing this argument? This isn't like someone "noticing that you left your car doors unlocked and pointing it out to you". It's like someone noticing your car doors are unlocked, climbing in, popping the trunk, having a good look around in there, rifling your glove box, stealing the paper you left there with the access code for your home security code on it, and grabbing a copy of the business plan and customer list you had in the back seat.
Actually it would seem to be more like:
While looking inside a Window, he realized it wasn't locked, opened the window, found some confidential documents laying around, made photocopies of them to keep, showed other people, made a few "adjustments" to the original copies, and then informed the company that they left their window unlocked.
Scott
This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.
But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.
What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.
That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...
Then at very least he's guilty of extreme stupidity. But that's not the case - his sworn testimony is that he planned to redistribute the code he downloaded and profit from it. That's what makes this a crime.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
I'm just blown away by the fact people actually defend this guy! We all have to start changing our view on security breaches by bringing in real life analogies.
If this guy had gone to the front door of his competing ISP, noticed it was unlocked and then walked in, HE WOULD BE GUILTY OF BREAKING AND ENTERING.
The whole underground movement of "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering" isn't going to cut it anymore in this post terrorism world. He committed a crime plain and simple, doesn't matter if the key was copper or RSA. You are not a good neighbor if you are constantly looking for ways to break into my house. Especially if I don't even know you!!
It's true, people do need to check their firewalls and whatever other security means they have for exploits, but it does not give anyone a license to go willy nilly on the net looking for exploitable systems. If someone has a system infected by nimda and you see their IP coming across your firewall, yes call them. That's OK cause you are not breaking or entering.
--toq
~~~Moderators, note I posted this with my real account. Unlike the karma whoring anonymous cowards I stand behind my opinions.
Okay i can agree that some officials (cops etc.) may not quite know what they're talking about. I did believe him when this story first came about, and i felt it was wrong because of the idiocy of these aforementioned officials. However, i somehow doubt that the facts presented have been completely fabricated by the DoJ (ie he *HAD* the perl scripts on his computer and was porting it to php).
I'm prolly gonna be smacked around for saying this, but come on people seriously..
Hmmm...maybe the FBI really ARE the good guys!
I think this is an excellent opportunity to put things in perspective. The FBI, along with other government agencies, are much maligned on Slashdot. Now, I'm all for civil debate. Wanting to know the facts, and not believing everything you're told, are good things that should be encouraged here in the US. Those principles are espoused here except, it seems, when dealing with law enforcement and intelligence agencies. Remember this case next time you are quick to judge an investigation or trial.
Evil is the money of root.
Finally, I'm glad he wasn't innocent, because there would have been no point helping an innocent man hire an attorney. And should I someday be in BKW's shoes, I hope that somebody does the same for me.
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?
I should see more hands that!
For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.
I didn't think so.....
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
"But the passwords *were* gifted to the individual."
Does that mean if I don't lock the door to my house, I have "gifted" all of my possessions to my neighbors? If they take my stuff, it's still stealing.
I may have been stupid to leave my door unlocked, but that's another story.
Yeesh!
There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.
Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.
So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?
Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?
You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.
Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.
Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.
Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?