Brian West Update

Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.

It all seemed so clear the first time through...

[dmarcov]

I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.

Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.

The worst part of it is:

[Dr.+Smeegee]

... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"

The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.

Sorry cops.

not much pity here.....

[dragonxhero]

some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....

Not exactly a White Knight

[legLess]

From the article, near the bottom:

"This case generated a very substantial amount of e-mailed correspondence to our office and across the world," [United States Attorney Sheldon J.] Sperling said. "The wide range of opinion was instructive. In this case, the defendant rewrote the files he downloaded, planned to distribute his rewrite, added another page to the website, modified the password file, and misled sympathizers and others as to both the character and scope of what he had done."

This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.

Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others were obviously lied to. People wrote letters, donated to the EFF, etc.

It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.

It just goes to show..

[DavidBrown]

..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.

This isn't to say that we shouldn't support the EFF.

Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.

The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.

Re:This whole thing makes me so mad.

[Lonesmurf]

No, he should go to jail as per the law requires. He not only didn't alert the system admin, he downloaded files and changed them, got access to password files and changed them, and distributed both to a friend.

Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.

The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.

read the story folks

[evilpimpstar]

This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."

I think you'd be arrested too.

Re:New laws saying this is "life behind bars" offe

[XorNand]

Actually, I beleive that it is you that is misinformed. In it's current drat, the ATA would most definately apply in this case:

From Title 18, Sec. 1030 of the US Code:

(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;

...and from the draft of the ATA of 2001:

SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;

(B) in subsection (18), by replacing the period with a semi-colon; and

(C) by adding after subsection (18), two new subsections as follows:

"(19) `protected computer' has the meaning set forth in section 1030; and

"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and

(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:

"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-

"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

"(B) the person acting under color of law is lawfully engaged in an investigation;

"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".

He is a terrorist

[ksw2]

What this man did was clearly an act of terrorism.

I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".

I recommend mandatory life sentence.

Re:It all seemed so clear the first time through..

[q-soe]

As a corporate IT manager i would like to ask you one question ?

Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?

The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.

When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.

It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.

think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.

Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.

I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.

Re:How did the FBI know?

[q-soe]

Answers

A: He boasted about it to the Newspaper editor and several other people (read the info on his case on the web - its in newspaper accounts)
B: they didnt have to - the guys a fool - he left the evidence on his computers and bragged to the people he hacked - who notified the local police who called the FBI
C: Naah - this is what he did wrong - he committed a crime and got caught and charged - why bother keeping definding the little shit ?

The argument over intellectual property is so much crap - they were on a secured password protected section of a server he had no legal access to and also i will point out one belonging to a competitor of his - and he stole them thus commiting theft.

The FBI has jurisdiction on this and the other reason they were called in one suspects is that the brain dead i mean defendant boasted about hacking into a local banks systems (a lie it seems but he saids it on the record in an interview with the nespaper and it was thus reported) and if that bank had Federal Investment Deposit Insurance (FIDC) then any crime committed against it becomes a federal crime and the FBI investigates.

Now are we done defending this guy ? hes a hacker - full stop.

Gray area in confidential info....

[AtomicBomb]

This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.

But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.

What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.

That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...

Who wrote a letter?

[tiny69]

OK
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?

I should see more hands that!

For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.

I didn't think so.....