Report Security Problems, Face The Consequences

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

Interesting Tactic

Competition: "Oh, there is? Really? How does it...? Oh, geez that's really bad. It does that too!? You're joking? Wow, we'll get on that right away." (Hangs up phone and calls police.)

PHB: "Good work, Johnson! That'll show 'em!"

Naked Woman Seeks Sex at Airport [slant-six.org]

Re:wierd tactic - details of Title 18 Section 1039

hillct wrote:

The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

Your point about state lines aside, the words "protected computer" jumps out at me. From what I've read, I can only draw the conclusion that the computer is not protected and that, in fact, the suspect in this case was contacting the other company to inform them of this fact. Sounds to me like this FBI team are just looking for something to do to justify their existence.

Re:Has common sense become less common?

That analogy does not fit. A more correct one would be:

Hi. I came by to visit you at your house yesterday, and when I knocked on the door, it just swung wide open. Did you know you have left it ajar? I yelled to see if you were at home, but you weren't. You know someone might steal the computer you have set up right at the front of the living room there. Well, I closed the door for you. Since I don't have your key I couldn't lock it. You really should try better to keep your door closed and locked, but if not, at least move the computer to your back room so someone less honorable coming along won't walk off with it.

Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.

Re:Has common sense become less common?

It's a fairly obvious difference between cracking a system, and exploiting the problems found, and coming across a problem by accident and reporting them in a sensible manner.

How is what he did sensible? He works for company X. On day 1 he finds a misconfigured server run by company Y, his direct competitor. He spends this day poking around two of the sites hosted there, testing out usernames and passwords that he found on at least one of them. Does he tell anyone who could fix the server anything? No. Not until the next day does he let anybody know about it (assuming he didn't share the info with his buddies), and when he does so, does he call the server operators? No, he goes to company Y's customer and tells them. And he doesn't tell their IT department, he tells it to a newspaper editor. He's not some good samaritan, because he never did tell company Y about the problem with their server. He was still showing people the hole 10 days after he found it.

The sensible thing to do, which I've done a few times, is as that the instant he realized that there was a hole in the server, he should've immediately quit playing around with it and immediately called or emailed the customer or company Y. That is, if he really wanted to wanted to be a good samaritan. If he didn't want to be a good samaritan, that's fine, he doesn't have to call, but you don't sit there poking around the hole after you realize that it's there.

this is not a new thing

whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?

Depends..

It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.

Pick your analogy

In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read

ENTER HERE -->

TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?

So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.

We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.

Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.

He's a witch...

...burn him!

Donations...

Do Something About This! [paypal.com]

Re:Donations...( I *do* know him )

Actually, I do know Brian on a personal level. I've known him for a few years. I work for a national ISP based in the Chicago area, and have collaborated with him on some projects in the past, so I know who he is, what his convictions are, and he's certainly not guilty of anything malicious in this case. I'm not posting as an AC, so feel free to check me out as well, if you are convinced this a conspriacy to dupe the Slashdot community.

If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.

I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).

If you don't believe in this case, donate to the EFF [eff.org] instead.

Important lesson

Talk to the techs.

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Wrong Lesson

Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.

Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.

Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.

Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.

The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.

So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.

Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.

I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.

Not the whole story...

LinuxFreak:

The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

Oklahoman News:

Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

With that in mind, let's not canonize Brian West just yet.

Re:Not the whole story...

I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.

I once did something like this...But won't again!

Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.

I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.

They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.

However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

Re:I once did something like this...But won't agai

A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.

The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.

What to do?

So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

This is a crappy situation.

tragic, but not surprising.

FBI goons play friendly while gathering evidence.
Only those things that can be used against you are considered.
Where is there news here?

I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.

Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.

You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.

No good deed goes unpunished

This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute [cato.org] has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.

part of the problem is incompetent sysadmin

My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

Something similiar happened to me

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).

- Sam

Something similiar happened to me

(Sorry about the blank comment. The new Slashdot code is still really buggy)

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).

- Sam

Well, what did YOU do ?

I emailed the DOJ, President, VP, My US Senators and Oklahoma Senators about this case asking them to look into it. Here is the message I sent:

I read about a case regarding Brian K. West in Southeast Oklahoma at:

http://www.linuxfreak.org/post.php/08/17/2001/134. html

If the information contained therein is correct, then there is already a SERIOUS miscarriage of justice going on.

Is it the policy of the United States , the Bush Administration and the Department of Justice to prosecute well intentioned citizens for attempting to help a stranger in an entirely benign manner ?

Would the DOJ prefer that the editor never have been notified about the security issue accessible through routine use of Microsoft software ?

What about the implication for other "good samaritan" acts ? Does the DOJ intend to set a precedent allowing any confused person to prosecute and/or sue anyone who helps them ?

I call on the DOJ to investigate the legal and technical competence of the attorney and law enforcement personnel in this matter.

Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.

Contact Wally Burchett and the Poteau Daily News

Mr. Wally Burchett has some serious issues, and
the Poteau Daily News has something coming to them if they think they can get away with this.

Everyone should start writing letters, call the editor, etc. From their Web site:

Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953

Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.

Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax

Email:
pdns@pdns.com
publisher@pdns.com

If you write letters, direct them to Mr. Wally Burchett.

As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.

What about MS?

Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?

The way we make laws is a security flaw

Anyone with a bad idea and enough money can get any nonsense turned into a law.

--Blair
"Democracy is a wonderful thing. I wish we had some."

Parallel Senarios...

Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."

Police: "Stay there for a while sir and watch things until we arive."

<I>15 Minutes later...</I>

Passer-by: "I'm glad you made it. I was getting tired and..."

Police: "You're under arrest for theft and breaking and entering."

Yea, that makes a lot of sense.

Entrapment and other issues.

First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.

If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.

Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.

All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.

How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.

This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.

As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?

-Restil

He has not been charged!

Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.

Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.

They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.

They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.

If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.

There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.

So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".

As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"

He recommended that I call the Detective and state:

"My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".

Total cost for a real attorney : $0.00

I was never arrested, charged or contacted again!

Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.