Brian West Update

Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.

It all seemed so clear the first time through...

[dmarcov]

I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.

Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.

Re:It all seemed so clear the first time through..

[q-soe]

As a corporate IT manager i would like to ask you one question ?

Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?

The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.

When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.

It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.

think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.

Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.

I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.