Slashdot Mirror
Brian West Update
Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
I wonder if this is the kind of "law breaker" DoJ hopes to lock behind bars for the rest of his life?
`find / -name "*your_base*" -exec chown us:us {} \;`
Does that mean if you tell a competitor's client "I see you use NT" that you will go to jail ?
It seems that his plight was not as was reported. It says he was trying to profit from the stuff he downloaded. Maybe he wasn't so innocent after all.
I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.
Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.
... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"
The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.
Sorry cops.
I was going to mod this down, but I am just going to reply instead. This isn't insightful or interesting, it is WRONG. The new law only applies to .GOV and .MIL websites. The site brian west hacked into was neither. Get your facts straight before you start spouting nonsense.
I can't find the original story on the new DoJ laws because the stupid slashdot search is not working. Someone want to back me up on this or provide a link?
rJames.org - illustration
some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....
This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.
Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others were obviously lied to. People wrote letters, donated to the EFF, etc.
It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.
This isn't to say that we shouldn't support the EFF.
Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.
The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.
144l. ph34r my 133t l3g4l 5k1lz!
No, he should go to jail as per the law requires. He not only didn't alert the system admin, he downloaded files and changed them, got access to password files and changed them, and distributed both to a friend.
Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.
The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.
rJames.org - illustration
It wouldn't have sounded so important as
Pathetically
Eclectic
Rubbish
Lister
This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."
I think you'd be arrested too.
you reap what you sow
Any 5 year old can sell crack - its illegal as well.
He didnt just 'hack it' he stole data - thats a computer crime and he pled guilty - end of case.
I was one of those people who said this the last time and got flamed and moderated down for suggesting the guy might not be all he seemed.
Some slashdot readers need to read the information and think about things
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Lets apply this to non-computer terms and see what we have:
The defendant, using a security vulnerability known as a Window, was able to look inside INSERTCOMPANYNAMEHERE and read confidential documents taped on the wall. He then told the company about the problem with looking through a Window and the company bought blinds, thereby fixing the hole. However, for noticing the stupidity of INSERTCOMPANYNAMEHERE, the defendant is being served up with a court hearing for misdemeanor charges of looking inside a building through a window without authorization.
Some companies are just stupid.
hrrm.
It seems like those posting comments so far haven't read the article.
It seems that West exploited the security flaw to his own benefit before reporting it to the competitors. THAT was why he was charged, and THAT is why he plead guilty.
It also says that he hacked the Potea Daily News website, downloaded some files, then claimed that his intrusion was accidental... Oops, my cat stepped on my keyboard, and it happened to be the correct user name and password!
"Now gluttony and exploitation serves eight!" - TV's Frank
Copying password lists and using them to access data normally forbidden is not ethical in any way, and probably shouldn't be legal. He copied their perl lists via the security hole, which shouldn't be legal either. What he gets charged for is something else. One can, I suppose, complain about the charge- but one really can't say that he did nothing unethical. (BTW, they messed up the perl acronym- it ought to retain its more dignified name of Pathologically Eclectic Rubbish Lister.)
so by this way of thinking a bank doesn't become "secure" unless you try to steal some money from it, right?
you reap what you sow
No, you are wrong.
It applies to "protected computers"
From 18 USC 1030(e):
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
That's basically any computer on the internet.
Crime doesn't pay (much).
-sting3r
`"it is important that web sites are secure from unauthorized access and that intellectual property is protected. Cyberspace will be a better place for all if such privacy and property rights are respected," stated Assistant United States Attorney Jeff Gallant.'
Also from the release:
"Using MS Front Page, defendant discovered a common security flaw between MS Front Page and MS Internet Information Server (IIS), the server software being run by
PDNS."
So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user that was clever enough to discover yet another innovative, undocumented feature in the software..
Since the DoJ is obviously committed to making sure "that web sites are secure from unauthorized access and that intellectual property is protected," they'd better throw the FBI at any average citizen that is smart enough to research the (in)security of the software that they use, instead of targeting the company that is more concerned with taking your money than making sure it actually works.
Ahhh.... I somehow missed the point about him trying to make a profit from the re-writing of the scripts. However, isn't that what reverse engineering is all about? It is just easier with PERL because it isn't compiled.
hrrm.
I'm perplexed how the FBI possibly ascertained exactly that West was rewriting the Perl scripts in PHP to resell as a product, as they indicate as the impetus of their response of search warrant and arrest.
At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.
So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
It seems, on its face, that:
a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or
b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or
c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.
My car gets 40 rods to the hogshead, and that's the way I likes it!
It's great that the truth according to the prosecuter came out. Anyone with any sense can understand that we he did wasn't noble nor helpful. It was wrong and illegal.
... wouldn't you love to know if the paper understood what happened to it? Wouldn't you love to know what happened to their webmaster? Their network administrator?
But
In the IT world mistakes like this are often glossed over and not taken seriously. One would expect to be fired over something like this, but alas, they are not.
The best example of this is the Code Red and NIMDA fiasco. I can't tell you how many admins should have been terminated for not properly patching their systems. It is amazing.
Good *god*, how long is it going to be before people stop believing this argument? This isn't like someone "noticing that you left your car doors unlocked and pointing it out to you". It's like someone noticing your car doors are unlocked, climbing in, popping the trunk, having a good look around in there, rifling your glove box, stealing the paper you left there with the access code for your home security code on it, and grabbing a copy of the business plan and customer list you had in the back seat.
Brian did something. He may have done something wrong. He faces a "hacking" trial just as there's a national furor about the evils of the Internet. His guilty plea may be a pragmatic decision - accept a slap on the wrist instead of taking a chance with a judge or jury. Certainly we've seen plenty of examples of clueless judges reaching bad decisions because they don't understand technical issues.
(Or because they're owned by the entertainment industry.)
Actually, I beleive that it is you that is misinformed. In it's current drat, the ATA would most definately apply in this case:
...and from the draft of the ATA of 2001:
From Title 18, Sec. 1030 of the US Code:
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;
(B) in subsection (18), by replacing the period with a semi-colon; and
(C) by adding after subsection (18), two new subsections as follows:
"(19) `protected computer' has the meaning set forth in section 1030; and
"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and
(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:
"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-
"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;
"(B) the person acting under color of law is lawfully engaged in an investigation;
"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and
"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".
Entrepreneur : (noun), French for "unemployed"
Evidently, you didn't have time to read my two previous replies regarding my mistake. And I DID read the story, I just missed the small paragraph concerning the document theft.
Drop it now?
hrrm.
I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".
I recommend mandatory life sentence.
This doesn't put a different spin on events.. it's all interpretation.
I don't knwo what really happened.. but what I recall reading was that:
He HAD access to the site.. he was working on some stuff for them.
He discovered he had access to MUCH MORE than he should have, which he tested by downloading a couple files he shouldn't have.
He told them about it.
They called the Cops/FBI/whatever...
He got arrested.
He *DID* knowingly download something he knew he wasn't supposed to have access to.. so it IS a crime.. however... where did he get the password?
As a corporate IT manager i would like to ask you one question ?
Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?
The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.
When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.
It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.
think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.
Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.
I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
I desreve to be modded down. I didn't read the article fully. He deserves what he gets.
Lets get this straight - independant forces and overwhelming evidence of what he actually did are everywhere - his fingerprints are all over the server and hes too dumb to delete the passwords and files he stole BUT obviously the police and FBI made him confess under duress ?
What IS the weather like on your planet
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
I am a humble little nerd... :)
hrrm.
In my country he would most likely get away with what he did, with the computer. Maybe with a monetary punishment, but there is a law about 'spreading alarming news' which I believe he did by trying to present the story in different way to the community and this is a crime that could be charged with several years in prison.
If programs would be read like poetry, most programmers would be Vogons.
Did I miss something? I didn't see anywhere in the article where he changed the password files.
Yes, he downloaded the Perl scripts. He even downloaded the password files. He shared them and was rewriting them in PHP. (Frankly, I'm surprised he copped a plea.)
This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.
But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.
What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.
That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...
But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
except for the following:
Subsequent investigation revealed that WEST had downloaded the computer files, was in the process of rewriting the files, and intended to market the revised software program.
I was pretty pissed off too about this when the story first surfaced. Little additional details like this one kind of put a different light on it, though.
. The files written by defendant were in the PHP computer programming language and the file extensions of those files ended in .inc and .asp. These files were not in the PERL programming language."
so there was an include file, and asp files... can php run with an asp extension?
I personally don't see what the big deal is wihtout knowing what the perl scripts were. I just think it is funny how they are making it out to be this hacker, and the guy was using some of the most basic things -and they aren't really programming languages such as they scripting langs (the perl people are gonna get pissed at me on that one but I don't mean it as flamebait, just as my opinion).
There are some odd things afoot now, in the Villa Straylight.
And I once felt sorry for this guy.
What a piece of scum.
Poof.
Ok -- sorry, I should have been more clear with smiley, 's, or something like that. It was a joke. For the record, nobody should ever have a list of usernames/passwords that don't belong to them and whatever other boilerplate is needed to cover any possible circumstance.
I'm just blown away by the fact people actually defend this guy! We all have to start changing our view on security breaches by bringing in real life analogies.
If this guy had gone to the front door of his competing ISP, noticed it was unlocked and then walked in, HE WOULD BE GUILTY OF BREAKING AND ENTERING.
The whole underground movement of "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering" isn't going to cut it anymore in this post terrorism world. He committed a crime plain and simple, doesn't matter if the key was copper or RSA. You are not a good neighbor if you are constantly looking for ways to break into my house. Especially if I don't even know you!!
It's true, people do need to check their firewalls and whatever other security means they have for exploits, but it does not give anyone a license to go willy nilly on the net looking for exploitable systems. If someone has a system infected by nimda and you see their IP coming across your firewall, yes call them. That's OK cause you are not breaking or entering.
--toq
~~~Moderators, note I posted this with my real account. Unlike the karma whoring anonymous cowards I stand behind my opinions.
Now, I even see people write "JAVA", and that's not even an acronym! Though I suppose one might infer that it's Just Another ....
Would those in attendance mind helping me by gently informing the users of this barbarism that "You sound like a freaking ignoramus!"? While I've got you, could you do the same for (stop here if you have a weak stomache and an appreciation for language) virii.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
in the kellybreed article, it's mentioned in a couple of places that interstate commerce was involved: "Defendant's access to the webpage involved interstate communications." and "... through the use of an interstate communication,".
My question is, does anyone know what this really means? It appears that interested parties were in OK, so it's not like he was connecting to a server in another state. In what way did connecting from his (OK based, right?) ISP to a site across town (hosted in OK, right?) cause interstate commerce issues to come up?
Read the article, idiot.
My karma is -1 because I don't use AC posting. LOL.
No. He pled guilty under Title 18, Section 1030(a)(2)(C).
Only 1030(a)(1), (4), (5)(A), and (7) are the computer crimes considered terrorism offenses under the draft of ATA (See Sec. 309)
By hacking the computer he gives up the right to any privacy regarding his actions on and communications with the attacked computer (Sec. 106), but then I wouldn't really expect someone to have privacy regarding what they do with a computer they shouldn't be on in the first place.
Hmmm...maybe the FBI really ARE the good guys!
I think this is an excellent opportunity to put things in perspective. The FBI, along with other government agencies, are much maligned on Slashdot. Now, I'm all for civil debate. Wanting to know the facts, and not believing everything you're told, are good things that should be encouraged here in the US. Those principles are espoused here except, it seems, when dealing with law enforcement and intelligence agencies. Remember this case next time you are quick to judge an investigation or trial.
Evil is the money of root.
No. Do not give reverse engineering a bad name. Stealing something is not reverse engineering it.
Apart from the amusing captilisation of PERL and the painstaking explanation of its acronym, there are some seemingly odd comments in there.
First off, the rewritten files were coded in PHP. But then they mention the files had the extension .inc and .asp. What? ASP = Active Server Pages. PHP = PHP! If he really was writing it in ASP, he certaintly does deserve to plead guilty!
-----BEGIN PGP SIGNED MESSAGE-----
l gw Hz0JbkX48AoKhM
Hash: RIPEMD160
RTF article.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBO7IE05Wn2pPDur23EQM+XACdGBBdBejGNG7MnTJ
WEHnec2AclMpxrQzzgwPDagB
=7Wce
-----END PGP SIGNATURE-----
-----
PGP Key ID 0xCB8FF658
Is it possible that Brian West was confronted with the following:
FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.
Mr. West: Um..Um...Um....OK, where do I sign?
Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.
"To those who are overly cautious, everything is impossible. "
Wow. Read the first story, then the update... Then go back to the first story... Wow... I guess a gullible nature is the natural result of interacting more with technology than with people.
I think the first mistake was taking the letter at face value, and it didn't help much that it played on a theme that's all too common around here. Add up enough unfounded assumptions and eventually you'll get a pile of hate mail.
One good thing; the DA's office at least got enough mail to notice the geek outcry. We'll call this one a false alarm - any good security system is gonna have false alarms - and hope that the outcry is that much bigger when it's really needed.
For a second I was like "thats so cool that batman is a hacker!"...then I remembered thats Adam West, not Brian West.
Oh well.
can't sleep. clowns will eat me.
If you DON't want something to be public knowledge..... then try not putting it on a PUBLIC network. The Internet for example last time I checked was available to the public.
The other part - the attempted profiteering - is another matter altogether. I don't see how it's connected to the cracking at all. It's basic Black Market racketeering of information, and that should be prosecuted as such.
But the cracking? If the original company were competent, they wouldn't have security even an insider could crack. (Dual-key systems, and distributed privilages, are common ways to limit the damage even an administrator can do.)
Probing and scanning a machine (which includes testing passwords) is not a crime in many States. Only actual damage caused. And, to be honest, that arrangement sounds eminently sensible.
What we are beginning to see here is the blaming of the use of the computer, when the computer had nothing to do with it. This is the kind of fuel the Furher needs to pass the anti-terrorist measures.
(Isn't it coincidental that the cracking gets big publicity at the time the bill runs into trouble...)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Phillip: I say, Bartholomew, have you finished that smashing Practical Extraction Report Language script for your World Wide Web page in Extensible MACro System?
Bartholomew: Why no Phillip, I have chosen to rewrite it with VIsual editor, and I have used the wonderful Active Server Pages environment on my International Business Machines computer system. Perhaps later I will re-write it in PHP Hypertext Preprocessor.
Phillip: At least it's not FORmula TRANslation or COmmon Business Orientated Language!
Both: Ha ha ha ha ha !
That's the first government document I've ever seen discuss various programming languages like perl and PHP... you don't see court orders talking specifically about perl scripts very often...
Finally, I'm glad he wasn't innocent, because there would have been no point helping an innocent man hire an attorney. And should I someday be in BKW's shoes, I hope that somebody does the same for me.
What this all really sums up to is a hacker who couldn't get to the log files and decided to try and go the "I'm a white hat here to help" route
Then plays us bleeding hearts for suckers...
*QH does impression of lollipop*
And I was one of the first...
LFS. Have you built your system today?
I don't think I've ever seen "Practical Extraction and Report Language" spelled out in the straight press. I wish whomever the writer of the release asked for a definition had told them "Pathetically Eclectic Rubbish Lister". Of course then, they'd probably have just used the acronym.
Proud member of the Weirdo-American community.
this argument is no defence - they were not gifted to the individual he found a way in and stole them - thats the crime - the security of the system is not relevant and in this case the guy spent weeks looking for a way in - hardly easy then is it ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
it's unusual to write .asp files in PHP - why would he be doing that?
.asp extension to the PHP parser. Unlikely in my view - if he was going to use/sell the scripts later, why wouldn't he write them with the default, most supported extension? far simpler.
a) he mapped the
b) the investigating agents don't know the difference between PHP and ASP
c) he doesn't know the difference between PHP and ASP
?
I'm assuming he was running on Windows, since he was apparently using FP (pertooey!)
Screw you all! I'm off to the pub
"Possession is not intent. One may possess a recipe for marijuana brownies without the intent to bake any. One may possess a gun without the intent to shoot anyone with it. It is possession _with_ intent that gets you prosecuted. It might get you charged with a crime, but proves nothing as far as if you did anything with the list.
Scenario: Let's say someone is a sysadmin for a company. As such, he has full access to usernames/passwords; he may even keep a hardcopy list of username/password pairs he uses often. Said sysadmin quits, gets laid off, etc. He still possesses the list of usernames/passwords, but doesn't use it, nor does he intend to. It's just in with the rest of his work papers. Is this sysadmin doing anything wrong? Nah. In fact, he might be purposely hanging on to the paper so that later when someone can't find some password and call him, he can answer."
Okay, that one I agree with.
"Here's a real world analogy. Let's say a friend gives me a spare key to their house. Later, said friend moves. I now have a key to a house, which I was given by someone authorized to do so, but which I have no right to use. As long as I don't _use_ that key, there's nothing wrong with possessing it."
Even that might be okay, but to follow this analogy, this guy wasn't given a key by a friend, he found a competitor kept his key under the doormat, made a copy and used it to break into the house and rummage through the competitor's personal files.
Possession of keys you have a valid reason for is one thing, but possession of keys you have no authority to have is always going to look like intent to attempt unauthorised access. I mean, why else would you have them? Particularly if there is evidence you have actively sought them.
In typical fashion, the majority of the slashdot community has managed to hipocritically come to the rescue of another hacker / cracker / whatever these criminals are being called these days.
/DMCA /hippie /hacker /geek sugar coating you put on this, it's still really simple:
Whoever said it before me was right: If it aint pro-linux / ms bashing, and it aint pro-hacker / down with the man, it aint gonna be liked on slashdot.
No matter what GPL
THIS GUY IS A CRIMINAL AND DESERVES TO GO TO JAIL.
He hacked into a website, stole some code he wanted to use, and would have sold the code for profit, if he hadn't been so stupid to get himself caught. Geez, he even helped himself get caught. He tried to play it off like it was an accident, and told on himself to create an alibi.
He's just another criminal. No different than the scumbag who stole your car, or the scumbag who broke into your house.
The Internet is not some magical place where the real world rules don't apply. People have invested countless amounts of money and time into it, and their property deserves the same recognition as anything in the physical world.
I'll say it again for those not listening the first time:
THIS GUY IS A CRIMINAL AND DESERVES TO GO TO JAIL.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Wanna bet? There's precedent for prosecutors telling defendants that they'll be looking at a long, drawn-out court case that will leave them unemployable *unless* they sign on the dotted line admitting to a misdemeanor. If you believe otherwise, you're terribly naive.
Now...why do legal people send stuff in microsoft-mangled RTF? They made that 'open' standard to share documents, and then they use it in a nonstandard way. dammit.
Sysadmins who leave a company and keep their passwords and then use them to get into companies have very short careers
Sysadmins who give passwords to friends have even shorter ones
There is an implicit trust and proffesionalism involved in being in control of system security - any admin worth 10cents would never give away passwords - if he did he would never ever get a job in IT again.
And any sysadmin who replaced another and didnt delete his predessors accounts and access and change service passwords deserves the same fate - its good housekeeping and its the first thing i do
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
After reading about this case for the first time I felt it necessary to write he DOJ lawyer and state my thoughts. It was the first time I ever felt so motivated. It was astounding that he would be arrested for helping a site with poor security, yet absolutely believable given the state of US law concerning computers, the net and IP.
I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.
Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.
How easy it is to seperate the Sysadmins and suchlike on here from everyone else (excepting the trolls -- we know what they are)
The sysadmins and pros and suchlike who work in IT agree this guy committed a crime or provide rational arguments as to why he didnt - they can rationally understand it and even maybe support the FBI - they understand what they did, have read the articles and post insightfull comments and thoughtfull questions and maybe even have a laugh.
The other group include those who thing all hackers are cool and that the goverment has no right to keep them out, they throw up any argument no matter how tenuous to defend the actions of Mr West and then even resort to saying he was forced to confess under duress ! then theres the conspiracy theorists and the lame he didnt steal anything of value (which is wrong guys as they law treats theft of data like theft of anything else)
How much time will the actions of someone who is now a confessed criminal who wasnt sophisticated enough to cover his tracks going to get you all in a lather ? Hasnt he had his 15 seconds of fame yet?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Here's a hypothetical situation: What if some malicious company made a webpage that when I connected to it, it downloaded the password file to a cookie on my hard drive. I don't know it's there. Then they come after me, claiming that I hacked into their system. True, I could say that I didn't know how it got there, and if I could get a person to show that their code downloaded the file (which would probably require a subpoena to look at their HTML code), that could make a good defense that I had no intent.
But what if I can't get that kind of help? What if I get a bone-head judge? Could someone be sent to jail for doing nothing more than browsing a web-page? It does seem that this guy was an damn-big idiot at least, and a malicious cracker at most, but it seems like cops are getting overzealous in prosecuting tech "crimes" without understanding what's really going on.
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?
I should see more hands that!
For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.
I didn't think so.....
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Comment removed based on user account deletion
I guess im the pointy haired sort of guy you are referring too.
To restate the obvious for those with IQ's lower than their shoe size - You have no right to have passwords and logons to any system you are not explicitly authorised to connect to. - thats simple fact. If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.
These passwords were behind a secure (or thought) secure system - It apparently took mr west several weeks to get into this system so its not like they were in plain sight.
Yes im sure that this would prove that and if you got my password list i would resign from my company - thats proffeisonalism (although as i run a secured netWrk with 2 firewalls and a DMz server between the internet and all of my secured domain servers (with pin security access for remote logon and mail access only at that point - it would be a fucking good hacker (you aint he) who could manage it - and we have paid to have it tested - i would probably hire anyone who could do it in fact !)
Anyone who would break into your house would not leave a note moron, they would rob you blind.
Do you even live in the real world ? why is it not ok to break into someones house but perfectly acceptable to break into their servers ? What are you on about ?
You sir are a moron
And a troll
Get a job in the real world as a sysadmin and see how much sympathy you have for this shit then.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
And what if I just to happen to change my httpd.conf to say use php to process .asp extensions? With all of the asp to php conversions going on right now that is a great way to avoid goofing up outside linked sources.
Got Code?
He's converting it from perl already, so making sure the links are right isn't a problem.
Also good to use would be MultiViews which allows you to skip extensions entirely.
But why anyone would waste their time with a half-assed anemic language like PHP when there are real programming languages that are much better like Python, is beyond me. Ignorance, most likely.
Isn't it a shame that he got busted for copying and (EEEEUUUGH:) reading somebody else's Perl code (like licking dingleberries off a moose butt), and trying to rewrite it in PHP? When he could have just installed Zope, which is totally free, and probably already has 5 different ways of doing whatever he needed to do.
It's like stealing the designs for Fred Flinstone's rock wheels, and then trying to copy them by carving dried mud, when he should be using metal and rubber and air instead, and could have just picked up a set of good wheels for free, if he'd only known any better. Sheez, what a maroon.
-Don
Take a look and feel free: http://www.PieMenu.com
Not in plain sight means behind the scenes - LETS GET THIS STRAIGHT
Anyone who has read the details of this story would see that Mr West did not suddenly find this exploit =- he spent weeks looking for it - this negates the argument about random discovery and the in plain sight crap - oh ant the article in the newspaper analogy is total bullshit and a lame attempt to obfuscate the situation - no matter what page of the newspaper it is on it is considered not only in plain sight but in the public domain and is the most irrelvant argument i have ever seen - this information was found by deliberately looking for it and trying until it was found - the guys is a criminal and your attempts to defend him are misguided and franly laughable
He sought the information - he copied it - he distributed it and he boasted about it - he attempted to besmirch the name of a competitor to get business in what i consider the most pathetic attempt at blackmail that i have ever seen - in short he is a loser
End of story
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
You sound like a good person. For the record, Brian West may not have been lying. It is a common technique to threaten the accused party in order to get them to agree to a lesser charge. Since the DOJ needed an out with all the publicity, the entire story line of downloaded Perl scripts for profit could have been concocted for this purpose. And West would have signed at the dotted line to avoid the multiple charges and a lengthy trial for which he did not have the funds to fight a government bureau. We may never know. Or Mr. West may choose to make a statement at a future date (when it is safe to do so) which will present another side to this story. The present revelations are based entirely on a government published text. Look to the source to reveal the interests of truth.
Not just "virii". Beat up on those people use "boxen" or "unices", when every Right-Thinking Red Blooded English speaking droid knows that the proper plurals are "boxes" and "unixes". People who deliberately (or not) misuse language with humorous intent should be shot! (Or subjected to folk music, if that's not too cruel and inhumane.) Humor is evil, and all humorists are probably terrorists.
And those people who use "on the gripping hand." Gaah! Aren't they aware that humans only have two hands? Those bastards! Take away their credit cards and force them to wear white after Labor Day!
Nope
the statement on a web page about authorised access only means we can suee your ass and charge you with a crime - why do you think its there.
This is the sort of rubbish i keep seeing here - simply put there are some answers for you
1. he did not just find the passwords - he spent weeks looking for a way in however he could and this is the one he got.
2. The names and passwords were not on the home page - they were inside the system and he got them after he got in
3.Where did they post login information ? he didnt hack into the webiste he hacked into the server
4. they were his competiton thus he can be deemed as commiting industrial espionage
5. he copied the passwords and logins and the files and gave them away thus he is guilty of dealing in stolen goods
6. It wasnt a public page
7. He didnt get in thru a bad password
8. Posting login is not an invitation as it says on most (and i am sure this web page ) AUTHORISED USERS ONLY - thus if you dont have the right to be there dont login
9. having got in he told the newpspaper editor he had and boasted about it and about hacking a bank (he lied but thats not the point)
in short hes stupid
This is the sort of weak crap that all the script kiddies use - it was there so i had the right - they all use it right up until the minute the FBI arrests then then they claim the freedom of the EFF and open source etc - trust me these people dont give a fuck about any of this - they are out (as this guy was) for personal gain
HE LOOKED FOR THE HOLE
All of this information is in the various newspaper stories and affadavits and court documents - READ it before you post this lame attempts at justification
ALL HACKING AND CRACKING INTO SYSTEMS IS WRONG - IT COSTS COMPANIES MONEY AND ULITMATELY IT WILL COST YOU FREEDOMS - DONT DEFEND THESE GUYS
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
There was a city I once lived in where local government officials, contrary to public meetings laws, secretly exchanged emails on how they would "block-vote" on certain issues and set their standard responses in advance of actual meetings in order to present a united front to the press and embarrass the minority on the council. They also used this behind-the-scenes and *illegal* way of communicating to plan the firing of staff that didn't see things their way (and in one case, simply because the guy was Hispanic and they didn't like Hispanics).
Weeelll, now. A certain nameless employee caught wind of a rumor of a rumor of a rumor and surreptitiously obtained the admin password list, which just coincidentally gave a person access to all archived email passing back and forth between the councilors. This password list was provided to a semi-savvy press member who downloaded and printed off all of these emails which violated public meetings laws (and in that last case, laws against discrimination). All of this was illegal, of course, but what the councilors were doing was rather a step up - at least in my view. If you're one of Ashcrofts boys then the employee and press member should no doubt be shot.
Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.
Sometimes, just sometimes, there really *are* good guys who hack (or crack, if you're anal about it) systems....
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Imagine that Brian said to a friend:
"I got this files from the Poteau Daily News and Sun Web site. It's realy bad coded. I'm going to rewrite the whole thing in PHP and see if they will buy it."
This would be enough to get him acused of "intending to derive a financial benefit from the unauthorized access".
Everybody seems to be assuming that "intending to market the revised software program" means that he would sell the new version on the open market. Actually, if he wanted to try and sell the new version only to the Poteau Daily News and Sun he would still be "intending to market the revised software program". A clarification of this is nowhere to be found.
Another suspicious thing is that he actually warned them about the security flaw, just the day after he found it out. Now, assuming he wasn't stupid, there are only two good reasons to do so:
- He actually had good intentions and wanted to warn them about the security flaw so as to avoid further instrusions.
- He wanted to blackmail them
If the second case is true, then why:- Did he explain them the nature of the security flaw ?
- There is no reference to him demanding money from the Poteau Daily News and Sun ?
I would say the waters are still muddedAre you sure your successor didn't see your ~/.forward and copy the address to /etc/aliases before removing your account? That's what I try to do (thankfully name collisions haven't been a problem yet).
.asp? *rolls over laughing*
is, has PDNS fixed the problem yet?
"But the passwords *were* gifted to the individual."
Does that mean if I don't lock the door to my house, I have "gifted" all of my possessions to my neighbors? If they take my stuff, it's still stealing.
I may have been stupid to leave my door unlocked, but that's another story.
I can understand your point but why would they if people didnt think hacking into them was their right ? if no one went out to hack their systems why would they need to be secure ?
If you extended this argument to homes we would all live in a house surrounded by barbed wire, rottweilers and floodlights with machine guns for point defence.
BTW from the information provided he didnt make a new account he stole exisiting ones.
I still think all hacking is wrong as the white hat argument is trotted out only when they get caught doing something they should not be.
Now if you will excuse me one of the rottwielers is barking and i think another on of those avon ladies is caught up in the barbed wire.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Prisions are full of people who only took one small step. Each one didn't seem so bad, but they all add up. Step A is a little naughty, step B a little more. People generaly don't go from not even a traffic ticket to Bank robbery and Murder is one giant leap.
Look at this guy, he's propable going to go to jail, do a ton of public-service and get put on probation all for stealing some scripts. I wouldn't be surprised if the scripts were freely avialable for download on an other site. Moral of the story is if you get stupid, you'll pay for it.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Whether you believe the law to be flawed is irrelevant - you break it you will be charged - thats the problem with the law - you cant say you dont recognise it and therefore get away with it.
I think possessing the passwords is itself proof of intent to use them in most cases - otherwise why have you got them ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
"It is important that web sites are secure from unauthorized access and that intellectual property
is protected. Cyberspace will be a better place for all if such privacy and property rights are
respected," stated Assistant United States Attorney Jeff Gallant.
a better place if privacy and property rights are respected...hmm, funny the U.S. wants to stick backdoors, and access keys in our crypto technology. privacy? we wont have anything to protect anymore.
Of course people do this. But they're stupid to do this if they know they were in the right and will win their case.
This guy knew he wasn't in the right and he pleaded guilty. period.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
Oh in case anyone isn't aware of it, Parole Boards usualy don't even look at what a potential Parolee was convicted of, they look at what he was charged with originaly. So Copping a plea effectively means admitting guilt to all of the charges, not just what you are convicted of. Don't like it, serve all of the sentence, its your choise.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Comment removed based on user account deletion
ok, i noticed that in the document they expanded the 'PERL' acronym. what would they write if Brian had used GNU software in some way?
Someone who wants the PHB and the rest of the goat trodding followers of MS to think that they are fully MS compliant. Whoever it is; smart man.
If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.
At my last job, one of the network admins was trying to convince the management that our network procedures were insecure. After several weeks of getting nowhere, he installed some publicly available hacking tools and pointed them at our domain. Without using any of his inside knowledge of the system -- using only the default configuration of the tools -- he got a name/password list of most of the managing partners, the CIO, and the senior network administrator. None of these were passwords he would have had access to with any of his approved access from work.
He brought this list into the next meeting to demonstrate how insecure our system was. The official response was that he must have used his inside knowledge, and that no one from outside the company was that interested in trying to hack our system. This was at a law firm, BTW.
Although in the West case it's pretty clear he was also trying to rip off their site administration scripts, your assertion that mere posession of a password list equals intent to commit a crime doesn't stand up.
Nope, no sig
Yeesh!
There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.
Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.
So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?
Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?
You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.
Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.
Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.
Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?
Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.
So... what you're saying is that if you want to be a white hat, you better be a politician or risk incarceration?
What the employee did was no doubt in violation of his contract with his place of business
Maybe, but no employment contract that I know of covers confidentiality of illegal activity. Whistleblowers are protected by laws to guard against just this sort of thing. If your employer is engaged in illegal activity, you have every right to expose them.
Let's say your neighbor is an escaped convict. Does that make it right for you to steal from him, or murder him?
This is not an analogous example.
The ivory tower has never had to reach so h
So if you were to leave your house and forget to lock your front door, and I walk by and notice your door unlocked, then all your furniture and computer equipment is gifted to me? Hell, since it was poorly protected, it must be considered public right?
... I'm sure everything else slashdot has linked to is still entirely accurate....
PJRC: Electronic Projects, 8051 Microcontroller Tools
> But the passwords *were* gifted to the
> individual. They were so poorly-protected as to
> be considered public.
No.
That's like someone putting a pie out to cool on their windowsill, and you tresspass onto their backyard and steal the pie.
If they didn't want you to have the pie, they should have kept the window closed and erected a barbed-wire fence around their yard, right?
how long have php scripts had the extension .ASP is this some new iis feature i am unware of?
Why is it that a small town newspaper's Perl scripts are less valuable than a big newspaper's perl scripts? If I write code for a small company does that my my code or my talent less than that of someone who works for a big company?
The analogy doesn't hold. In this case the "house" is a location where the very idea is to take things. And it's not as if the owner's of the house put "please don't touch" signs on their favorite set of china. This is more giving your things to the Goodwill and then realizing that your wife accidentally put your favorite jersey in with the load.
A side effect of placing a document online in a publically accessible place is that people can get it. That's the entire point of the Internet, and if a site fails to properly obfuscate something, then it runs the risk of having its material copied. (This isn't the same as saying that the material can be republished freely).
If any publication accidentally prints something, it's free to be read by any. Granted, a drastic error in an advertisment doesn't have to be honored, but that doesn't apply here either.
This doesn't mean that Brian was in the clear, and to me, there should have been other issues of a more civil nature:
Where Brian should have had trouble is not in having the copyrighted source code, but in trying to develop this new version of the software using the old code without using some sort of clean room technique with another coder. To me, there was just a badly botched, half-assed reverse engineering attempt and nothing more.
"You're never ready, just less unprepared."
In the eyes of the law, cracking is cracking.
In this case it was a government computer. It would only take one instance of a reporter getting a hard life sentance for using computer information to expose criminal politicians. After that, there would be a serious damper on the idea of any sort of press investigation of crooked politicians.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
The analogy between a web site & a house is wrong and evil. The differences in use, purpose, structure, and value (real, not new economy) should make this obvious.
Your cutesy exit strategy is the classic "Oh, I made my BS argument, now I'll make a joke and go." You're more Corporate Manager than IT.You may be a crackerjack sysadmin, but you'd make a shitty programmer - failure to close nested perens.
Tatsujin
Umm, excuse me -- troll?! A link to goatse.cx is a troll. This was a question! Where're the metamoderators?
I repeat: do companies really consider usernames and passwords "intellectual property"? Under what circumstances, and to what extent? Can my name become someone else's intellectual property?
So you hate yourself because you believed the perp's story, and now you are (equally uncritically) believing the cop's story?
As I read the indictment, there is a lot open to interpretation. There are a lot of claims that the guy "was going to" do bad things [tm] and a very, very slim list of questionable actions that were admittedly taken.
The scientific method enshrines skepticism as a primary virtue. Faith is the domain of religion. Neither Slashdot nor your local police department require or deserve religious devotion.
--Charlie
Possession IS intent? I don't think so. Possession is proof of theft, not intent to use the passwords. Do you also think my possessing a gun is proof I'm going to rob a bank?
...on the next Batman movie. I hear he'll be in it, playing a villian. Did he go to his court appearances in the Batmobile? or is that just on the Simpsons?
Simpsons reference == instant karma, pay up.
AC's cheerfully ignored
If you're going to post pgp signed messages, at least post VALID pgp signed messages, you space-wasting geek.
No, not at all. Just perhaps less demanding, in that a design methodology that is acceptable for a smaller/lower volume operation usually isn't as sophisticated as what would be needed by a larger shop. Why pay the big $$$ that I'm sure you charge for your expertise to get a great solution, when you can have "good enough" for less.
Just being devils advocate here, but perhaps he was so scared and had no good legal backing that he signed the guilty plea to avoid further trouble. This looks like a statement the FBI prepared and asked him to sign, not a confession he himself worded. Perhaps, just perhaps, the FBI did not fully understand what they found but demanded that these are the charges and a guilty plea must be plead according to these charges. Pleading guilty many times is prefferable to pleading innocent and then being found guilty.
Dunno, just a supposition...
Hmmm
So let me see - having worked for 10 years and done everything from help desk to field support to sys admin to gain my position i am a stooge ?
And the analogy between a house is obe that is CONSTANTLY used on this site to defend this sort of person - it might be wrong but thats life and it it after all my opinion.
My arguments are not froma corporate viwepoint - my arguments are from years of maintaining secure systems, patching, updating, rebuilding, years of stoneds, melissa's, prelissas, markers, code reds, nimdas and such like, years of repairing damage done when some uber 14 year old manages to find a hole in a web page on a system you didnt set up but has become your responsibiltiy and you have to clean the mess up, years of port scans and DOS attacks on servers and one case of a super cool dood who hacked into a system at a previos employer and then proceeded to destroy it (a company that made glass windows and doors no less - what sort of reason was behind that)
Now i have an instruction for you. i looked back at your past posts and you have posted some very anti corporate diatribes and at least one bad experience - thus YOUR opinions are colored as well.
I have 25 staff under me and they are all great guys, i try and pay them well and look after them and i have turnover of less that 1 person in 2 years - in return i defend them and expect loyalty and hard work thats all - i dont spout corporate ethics - i support systems and see the damage.
Your point may be a little vallid and was fairly well put BUT i have one question for you - What is your proffesion - i suspect programmer rather than admin support - that alone would color opipnions.
Please note im not flaming you here - i respect your opinion and can see how you came to it - im only pointing out why its not the case
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Yes, but the password files and perl scripts were not stored in a manner intending to allow them to be world readable - he had to exploit a security flaw to get to the files. If he had gone to the web site and discovered that the files were posted in plain view on their home page, I would agree more with your point.
But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.
If you forget to lock your front door are you gifting whatever a thief decides to take, including any credit card numbers he may happen to find (had to throw that one in there to defuse the bogus argument that it isn't theft unless something is physically taken)?
Comment removed based on user account deletion
you cant say you dont recognise it and therefore get away with it.
I said I disagreed with certain laws. I never claimed immunity from them.
I think possessing the passwords is itself proof of intent to use them in most cases - otherwise why have you got them ?
Your own choice of words "in most cases" proove my point about intent. "Most" is not proof. We cannot (or at least should not) convict someone based on "most". Different people have different motivations and intents.
How about this somewhat different example - Someone hacks root access on a computer. The ONLY thing he does is leave the sysop a message about the security hole and how to fix it. Violation of current law? Yes. If Congress passes the AntiTerrorismAct as currently worded it potentially carries a life sentence without parole.
The laws we apply to a case like this, and every other aspect of our society, is a choice between various options. I belive allowing an AntiTerrorismAct with up to life sentence to apply is a Bad Thing. I belive a treating it as a felony based on Intent is a bad choice which I will oppose. I belive treating it as a misdemeanor is a reasonable choice. I also belive that restricting punishment to cases of harm done is another reasonable choice.
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.