Slashdot Mirror
Brian West Update
Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.
Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.
Crime doesn't pay (much).
-sting3r
Chill... :) My intentions were honorable. I was still under the impression at the time of the posting that he was only trying to help out and that any documents obtained from the server were to test what vulnerabilities were present(as was reported in the first article). I somehow missed the part where he was trying to sell the scripts he stole for a profit...
hrrm.
As a corporate IT manager i would like to ask you one question ?
Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?
The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.
When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.
It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.
think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.
Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.
I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Is it possible that Brian West was confronted with the following:
FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.
Mr. West: Um..Um...Um....OK, where do I sign?
Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.
"To those who are overly cautious, everything is impossible. "
That's the first government document I've ever seen discuss various programming languages like perl and PHP... you don't see court orders talking specifically about perl scripts very often...
You have a good point about this but for one simple fact - and this can be found by reading the logs - this guy isn't going to trial because he hung himself out to dry by admitting he had done it, boasting to people (including the editor of the paper) keeping the stolen files and then giving passwords to a friend.
In other words the evidence alone would hang him - the fact that he tends to come across as an arrogant person in his writings and letters, and dont forget he only tried the white hat when caught.
people like this guy think the law doesnt apply to them, they think that computer crime is something no one else will understand and that makes it hard to prove etc, it isnt - trust me i have worked with Australian Federal Police investigators at a previous role (involving an attempted hacking incident at a financial instituion) these guys were very very smart and skilled and 2 of them were ex hackers (1 who had served jail time) they know what they are doing.
This guy has to have committed the most amaterish, pathetic and misguided hack in history and then thought he could use the open source movement to cover himself and the EFF to protect him - he was wrong and this should teach us a lesson.
All is not what it seems in these cases - IMHO there is no such thing as white hat or black hat ONLY hackers - any justification you can try and find wont change the fact that these guys support an ethos surrounded in getting access to things they havent been given.
Hacking is wrong. FULL STOP
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
When I was growing up, my parents used to leave a key to the house hidden under a rock in the backyard in case I got home and they weren't there. I know other people that did the same thing. Some people might say this is a common and well known security hole in single family dwellings.
Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?
The existance of a security hole does not make it ok to steal. That's the bottom line. Pick another cause to fight for.
He hates these cans!!!
After reading about this case for the first time I felt it necessary to write he DOJ lawyer and state my thoughts. It was the first time I ever felt so motivated. It was astounding that he would be arrested for helping a site with poor security, yet absolutely believable given the state of US law concerning computers, the net and IP.
I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.
Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.
You sound like a good person. For the record, Brian West may not have been lying. It is a common technique to threaten the accused party in order to get them to agree to a lesser charge. Since the DOJ needed an out with all the publicity, the entire story line of downloaded Perl scripts for profit could have been concocted for this purpose. And West would have signed at the dotted line to avoid the multiple charges and a lengthy trial for which he did not have the funds to fight a government bureau. We may never know. Or Mr. West may choose to make a statement at a future date (when it is safe to do so) which will present another side to this story. The present revelations are based entirely on a government published text. Look to the source to reveal the interests of truth.
Incorrect. I worked at the HelpDesk of G.E. in Appliance Park, Kentucky, their central IT and server location, and different happened for me. I was on a COMMON mapped drive, provided(with FULL read and write permissions) for everyone in buuilding 4(IT), by default. The server was BLDG4USERS1. the pccommon directory is essentially a repository for temporary items from users of the system. Anything can be read or deleted by anyone. In this mapped drive, I found a folder, Jenne, which contained various items. Among these (yes I was on lunch, and had time) were router configurations, switch configs, and even weak encrypted enable passwords. When I approached the person I believe owned the folder (a GE network support person), he didn't seem concerned or alarmed. He did, however thank me. Since we were both in the break area (I know I was on break), I went on to divulge that I had also noticed his social security number in an expense report, apparently pre- filled, to expedite his filing of such reports. This took him by surprise, and he gave me an apparent sincere thanks. I had already approached my immediate supervisor about notifying him, but he had no solution, and no interest in doing so. I did not want to carry this clear up the chain of command, because, as a creative and enthusiastic person, I had made enough waves trying to get a Cisco CCNA/NP lab up and running. I lost my job. I was 'untrustworthy'. There are no hidden facts, i'm not slanting the story, and I can even see how snooping into a personal DRIVE could be real bad. This was a PUBLIC drive. I could've deleted his whole folder....