Report Security Problems, Face The Consequences

An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.

Donations...

[hexx]

Do Something About This! [paypal.com]

Re:this is not a new thing

[Anonymous Coward]

Even big stupid companies [theregister.co.uk] do it!

Whistleblowers take 3Com to court over unsafe kit claim
By: John LeydenPosted: 15/02/2001 at 18:43 GMT

3Com is facing a multi-million dollar lawsuit from former employees claiming it knowingly sold unsafe products and conspired to file false police reports against them when they reported problems with its kit.

Re:Not the whole story...

[Anonymous Coward]

I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.

Re:Not the whole story...

[whatnotever]

Read the comments below the linuxfreak article. Brian explains it in a bit more detail. He did use a username/password, but he got it from a file served to the public from their site.

And I think that the "hundreds of attempts" mentioned is just their normal daily load (their advertising claims to reach "over 1000" readers daily, and this is over a year later, right?). And if only *some* were trying to access these files and scripts, why even bother mentioning "hundreds of attempts" - that number is irrelevant!

Basically, he did a bit more than click on "edit," but it sounds like he really did just find the hole and check to be sure.

Contact Wally Burchett and the Poteau Daily News

[pclinger]

Mr. Wally Burchett has some serious issues, and
the Poteau Daily News has something coming to them if they think they can get away with this.

Everyone should start writing letters, call the editor, etc. From their Web site:

Address:
Poteau Daily News & Sun
P.O. Box 1237
804 N. Broadway
Poteau, OK 74953

Office Hours:
7a.m. - 6p.m. Mon.-Fri.
8a.m. to Noon Sat.

Phone Numbers:
(918) 647-3188
(918) 647-8198 Fax

Email:
pdns@pdns.com
publisher@pdns.com

If you write letters, direct them to Mr. Wally Burchett.

As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.

Re:Wire Fraud

[mmol_6453]

Here [cornell.edu]'s the law entry for what he's charged with, and Here [usdoj.gov]'s the reference for the Oklahoma wire fraud law.

Per the fbi afidavit

[WindowsTroll]

he is guilty of unauthorized access to the PDNS web site. He admitted in a recorded conversation with PDNS representatives that he accessed the user names and passwords to their site, that he entered their site using these names and passwords, and that on three occassions, he entered the web site of 1st National Bank of McAlster and was able to view customers checking accounts, savings accounts, and money transfers.

So, going back to the house analogy, he is guilty of going inside and looking around.

The details of the affidavit are from Brian West's own web site, http://www.bkw.org

wierd tactic - details of Title 18 Section 1039

[hillct]

One item not mentioned in the article is the details of Title 18 Section 1030 [cornell.edu] which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.

--CTH

Pick your analogy

[Plasmic]

In Brian's case, this reminds me more of a guy walking his dog around his neighborhood on the sidewalk who notices that the front door of one of the houses was left wide open and that there are flashing neon signs pointing to the open door that read

ENTER HERE -->

TAKE EVERYTHING IN MY HOUSE! PLEASE! I DON'T WANT IT! IF I DID, WHY WOULD I PUT THIS SIGN UP AND LEAVE MY FRONT DOOR OPEN?

So, the guy looks at the mailbox to find a house number, looks up the number in the neighborhood directory, and calls the owner to make sure he's aware of the situtation.

We can start an entire thread on analogies for things like what Brian did and what portscanning is, but it just becomes subjective depending on how familiar you are with the technology. To many of us, open up a file that contains contact information after Frontpage accidentally goes into editing mode instead of read-only mode (or whatever) and then contacting someone about it seems trivial. But to your average FBI cybersleuth, it's just as trivial to spin this in an insanely dark direction.

Isn't it more fun to catch cybercriminals than to wander around determining that those people are actually innocent? Try to convince your average cocky FBI boy of that.

[OT] Re:Who-hoo! Land of the Free!

[locutus074]

Having formerly worked for an airline, I can tell you that the reason is because Frankfurt is the first stop in the country of your final destination.

Think about it this way: Suppose you embark from Podunk, Idaho on your way to Frankfurt, with a connection in LaGuardia (New York City) each way. (Assume that Podunk Regional Airport has no customs and immigration facilities, but it wouldn't matter if it did.) On your way back, you'll go through customs and immigration in New York, because after New York, it's all domestic flights.

It works the same way going abroad.

Don't trust the Oklahoman - HORRIBLE REPORTING

[lonesome phreak]

I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.

Title 18 Section 1030

[vulg4r_m0nk]

For anyone interested in reading the law under which the prosecutor is planning to charge this guy, it is here [psionics.net]

If the details of the story are correct, there's no way the DOJ can win this case, as all of the provisions under the law have to with intent to defraud or demonstrable harm having occurred. But, as others have pointed out, the details are little sketchy.

Re:wierd tactic - details of Title 18 Section 1039

[emmons]

Please, learn english if you want to write in it.

"weather [dictionary.com]" is not the same as "whether [dictionary.com]."

Re:Has common sense become less common?

[Cramer]

Actually, if it ever goes to court, there may be nothing to present. Unless he was aware the phone call was being recorded, the tape is tanted. If there was no search warrant, any materials collected by the FBI at his place of business is also tanted. If the agents didn't identify themselves prior to asking him to show them what he meant, that's entrapment. And of course, if he was never read his rights, ...

While I certainly would agree, on the surface, this looks stupid, we may not have the full story. AND, accidental or intentional, he is almost certainly guilty of "computer tresspass". The "door" analogy is a little flawed... one cannot "see" that a password is not required without actually trying. Look at it more as walking up to knock on a door while blind-folded. Bascially, a locked door looks just like an unlocked door; you have to try to open it to tell one way or the other. And thus, the law is broken (bent, whatever.) Laws that apply to the physical world don't always have an equal in the virtual world.

(The lack of formal charges would suggest nothing will ever come of this stupidity.)