Brian West Update

Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.

The worst part of it is:

[Dr.+Smeegee]

... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"

The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.

Sorry cops.

Not exactly a White Knight

[legLess]

From the article, near the bottom:

"This case generated a very substantial amount of e-mailed correspondence to our office and across the world," [United States Attorney Sheldon J.] Sperling said. "The wide range of opinion was instructive. In this case, the defendant rewrote the files he downloaded, planned to distribute his rewrite, added another page to the website, modified the password file, and misled sympathizers and others as to both the character and scope of what he had done."

This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.

Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others were obviously lied to. People wrote letters, donated to the EFF, etc.

It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.

It just goes to show..

[DavidBrown]

..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.

This isn't to say that we shouldn't support the EFF.

Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.

The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.

Re:This whole thing makes me so mad.

[Lonesmurf]

No, he should go to jail as per the law requires. He not only didn't alert the system admin, he downloaded files and changed them, got access to password files and changed them, and distributed both to a friend.

Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.

The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.

read the story folks

[evilpimpstar]

This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."

I think you'd be arrested too.

Re:New laws saying this is "life behind bars" offe

[XorNand]

Actually, I beleive that it is you that is misinformed. In it's current drat, the ATA would most definately apply in this case:

From Title 18, Sec. 1030 of the US Code:

(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;

...and from the draft of the ATA of 2001:

SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;

(B) in subsection (18), by replacing the period with a semi-colon; and

(C) by adding after subsection (18), two new subsections as follows:

"(19) `protected computer' has the meaning set forth in section 1030; and

"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and

(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:

"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-

"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

"(B) the person acting under color of law is lawfully engaged in an investigation;

"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".

Re:It all seemed so clear the first time through..

[q-soe]

As a corporate IT manager i would like to ask you one question ?

Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?

The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.

When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.

It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.

think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.

Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.

I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.