Slashdot Mirror
Brian West Update
Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.
Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.
... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"
The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.
Sorry cops.
some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....
This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.
Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others were obviously lied to. People wrote letters, donated to the EFF, etc.
It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.
This isn't to say that we shouldn't support the EFF.
Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.
The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.
144l. ph34r my 133t l3g4l 5k1lz!
No, he should go to jail as per the law requires. He not only didn't alert the system admin, he downloaded files and changed them, got access to password files and changed them, and distributed both to a friend.
Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.
The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.
rJames.org - illustration
Perhaps you didn't read the article. He found the security hole and then proceeded to steal scripts from them. His intention was to rewrite them and then sell them for a profit. What he did is called corporate espionage.
This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."
I think you'd be arrested too.
you reap what you sow
Any 5 year old can sell crack - its illegal as well.
He didnt just 'hack it' he stole data - thats a computer crime and he pled guilty - end of case.
I was one of those people who said this the last time and got flamed and moderated down for suggesting the guy might not be all he seemed.
Some slashdot readers need to read the information and think about things
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
`"it is important that web sites are secure from unauthorized access and that intellectual property is protected. Cyberspace will be a better place for all if such privacy and property rights are respected," stated Assistant United States Attorney Jeff Gallant.'
Also from the release:
"Using MS Front Page, defendant discovered a common security flaw between MS Front Page and MS Internet Information Server (IIS), the server software being run by
PDNS."
So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user that was clever enough to discover yet another innovative, undocumented feature in the software..
Since the DoJ is obviously committed to making sure "that web sites are secure from unauthorized access and that intellectual property is protected," they'd better throw the FBI at any average citizen that is smart enough to research the (in)security of the software that they use, instead of targeting the company that is more concerned with taking your money than making sure it actually works.
no, some posters are just stupid.
lets use your window analogy:
The defendant, using a security vulnerability known as a Window, was able to break inside INSERTCOMPANYNAMEHERE and read and copy confidential documents sitting on a desk. He then gave a copy of the papers to a friend to show him how utterly 1331 he was and then told the company about the problem with breaking through a Window. However, for noticing the stupidity of BRIAN WEST, the prosecution is serving legal papers up within a court hearing for misdemeanor charges of breaking inside a building through a window without authorization.
rJames.org - illustration
I'm perplexed how the FBI possibly ascertained exactly that West was rewriting the Perl scripts in PHP to resell as a product, as they indicate as the impetus of their response of search warrant and arrest.
At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.
So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
It seems, on its face, that:
a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or
b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or
c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.
My car gets 40 rods to the hogshead, and that's the way I likes it!
Actually, I beleive that it is you that is misinformed. In it's current drat, the ATA would most definately apply in this case:
...and from the draft of the ATA of 2001:
From Title 18, Sec. 1030 of the US Code:
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;
(B) in subsection (18), by replacing the period with a semi-colon; and
(C) by adding after subsection (18), two new subsections as follows:
"(19) `protected computer' has the meaning set forth in section 1030; and
"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and
(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:
"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-
"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;
"(B) the person acting under color of law is lawfully engaged in an investigation;
"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and
"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".
Entrepreneur : (noun), French for "unemployed"
I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".
I recommend mandatory life sentence.
As a corporate IT manager i would like to ask you one question ?
Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?
The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.
When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.
It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.
think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.
Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.
I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.
But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.
What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.
That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...
But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
No. He pled guilty under Title 18, Section 1030(a)(2)(C).
Only 1030(a)(1), (4), (5)(A), and (7) are the computer crimes considered terrorism offenses under the draft of ATA (See Sec. 309)
By hacking the computer he gives up the right to any privacy regarding his actions on and communications with the attacked computer (Sec. 106), but then I wouldn't really expect someone to have privacy regarding what they do with a computer they shouldn't be on in the first place.
Is it possible that Brian West was confronted with the following:
FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.
Mr. West: Um..Um...Um....OK, where do I sign?
Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.
"To those who are overly cautious, everything is impossible. "
For a second I was like "thats so cool that batman is a hacker!"...then I remembered thats Adam West, not Brian West.
Oh well.
can't sleep. clowns will eat me.
Phillip: I say, Bartholomew, have you finished that smashing Practical Extraction Report Language script for your World Wide Web page in Extensible MACro System?
Bartholomew: Why no Phillip, I have chosen to rewrite it with VIsual editor, and I have used the wonderful Active Server Pages environment on my International Business Machines computer system. Perhaps later I will re-write it in PHP Hypertext Preprocessor.
Phillip: At least it's not FORmula TRANslation or COmmon Business Orientated Language!
Both: Ha ha ha ha ha !
That's the first government document I've ever seen discuss various programming languages like perl and PHP... you don't see court orders talking specifically about perl scripts very often...
You have a good point about this but for one simple fact - and this can be found by reading the logs - this guy isn't going to trial because he hung himself out to dry by admitting he had done it, boasting to people (including the editor of the paper) keeping the stolen files and then giving passwords to a friend.
In other words the evidence alone would hang him - the fact that he tends to come across as an arrogant person in his writings and letters, and dont forget he only tried the white hat when caught.
people like this guy think the law doesnt apply to them, they think that computer crime is something no one else will understand and that makes it hard to prove etc, it isnt - trust me i have worked with Australian Federal Police investigators at a previous role (involving an attempted hacking incident at a financial instituion) these guys were very very smart and skilled and 2 of them were ex hackers (1 who had served jail time) they know what they are doing.
This guy has to have committed the most amaterish, pathetic and misguided hack in history and then thought he could use the open source movement to cover himself and the EFF to protect him - he was wrong and this should teach us a lesson.
All is not what it seems in these cases - IMHO there is no such thing as white hat or black hat ONLY hackers - any justification you can try and find wont change the fact that these guys support an ethos surrounded in getting access to things they havent been given.
Hacking is wrong. FULL STOP
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
When I was growing up, my parents used to leave a key to the house hidden under a rock in the backyard in case I got home and they weren't there. I know other people that did the same thing. Some people might say this is a common and well known security hole in single family dwellings.
Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?
The existance of a security hole does not make it ok to steal. That's the bottom line. Pick another cause to fight for.
He hates these cans!!!
After reading about this case for the first time I felt it necessary to write he DOJ lawyer and state my thoughts. It was the first time I ever felt so motivated. It was astounding that he would be arrested for helping a site with poor security, yet absolutely believable given the state of US law concerning computers, the net and IP.
I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.
Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?
I should see more hands that!
For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.
I didn't think so.....
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Comment removed based on user account deletion
Yeesh!
There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.
Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.
So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?
Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?
You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.
Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.
Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.
Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?
Incorrect. I worked at the HelpDesk of G.E. in Appliance Park, Kentucky, their central IT and server location, and different happened for me. I was on a COMMON mapped drive, provided(with FULL read and write permissions) for everyone in buuilding 4(IT), by default. The server was BLDG4USERS1. the pccommon directory is essentially a repository for temporary items from users of the system. Anything can be read or deleted by anyone. In this mapped drive, I found a folder, Jenne, which contained various items. Among these (yes I was on lunch, and had time) were router configurations, switch configs, and even weak encrypted enable passwords. When I approached the person I believe owned the folder (a GE network support person), he didn't seem concerned or alarmed. He did, however thank me. Since we were both in the break area (I know I was on break), I went on to divulge that I had also noticed his social security number in an expense report, apparently pre- filled, to expedite his filing of such reports. This took him by surprise, and he gave me an apparent sincere thanks. I had already approached my immediate supervisor about notifying him, but he had no solution, and no interest in doing so. I did not want to carry this clear up the chain of command, because, as a creative and enthusiastic person, I had made enough waves trying to get a Cisco CCNA/NP lab up and running. I lost my job. I was 'untrustworthy'. There are no hidden facts, i'm not slanting the story, and I can even see how snooping into a personal DRIVE could be real bad. This was a PUBLIC drive. I could've deleted his whole folder....