Report Security Problems, Face The Consequences 552
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
This sort of thing seems to be typical (Score:2, Interesting)
The only thing I see as a possible remedy to this is for people to actually start using all those anonymous remailers that are floatin' around, otherwise, be prepared to get bent over for trying to be helpful. I can relate to this personally, the only good thing about it is that I only got fired, not arrested. But how much more BS are people going to take before they start to take a stand against this kind of crap?
Re:Who-hoo! Land of the Free! (Score:3, Interesting)
No, Canada requires it as well.
Not the whole story... (Score:5, Interesting)
Re:Important lesson (Score:3, Interesting)
It looks to me like he simply wanted to sway the customers over to his company, and use the security flaw for the reason.
ya ya ya, I'll get modded down for this, but I do think there is more to the story.
He should have contacted the other company, and the FBI should do better things with their time.
I once did something like this...But won't again! (Score:5, Interesting)
Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.
I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.
They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.
However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.
What to do? (Score:5, Interesting)
This is a crappy situation.
Re:Has common sense become less common? (Score:2, Interesting)
How about an analogy that the 'joe bag-of-donuts' crowd can understand. Suppose you get letter in the mail that says
"Hi. I just wanted to let you know that I stopped by your house the other day, and I was able to easily break into your home. I was able to jimmy the back door, and slide open two of your windows. After I entered your house - since I saw that the exterior was insecure, I decided to see how secure the inside of the house was. While doing this, I was able to find your credit cards in your wallet, so your personal information isn't safe in your house. And, you left your gun cabinet unlocked. I just thought that I should share this with you since I am only interested in your security.
The Cracker"
I would argue that 99.9% of the people in this country would say that this person has broken the law and should be arrested, but you are arguing that since they didn't exploit what they found, that the clueless cops should leave this person alone. Common sense dictates that the person should be arrested, and the cops aren't clueless when they do this.
No good deed goes unpunished (Score:4, Interesting)
part of the problem is incompetent sysadmin (Score:5, Interesting)
My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.
The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.
Something similiar happened to me (Score:5, Interesting)
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).
- Sam
Something similiar happened to me (Score:3, Interesting)
A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.
The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.
About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.
Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.
Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.
At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.
Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.
Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).
- Sam
Good samaritan laws (Score:2, Interesting)
taping conversation illegal? (Score:1, Interesting)
Isn't taping a phone call without both party's knowledge/consent illegal? Wasn't Linda Tripp charged for that?
Re:Has common sense become less common? (Score:4, Interesting)
That analogy does not fit. A more correct one would be:
Using the wrong analogy could leave people who just don't understand in the first place with a misunderstanding of it. As to the specific facts about the case with PDNS.COM, I don't know if I have them all or not. But based on what facts have been presented that I have read, my analogy is the correct one. The only reason 99.9% would say this guy is wrong is if they are judging him based on your flawed analogy. Common sense dictates that the case should be investigated. Maybe LinuxFreak.Org didn't really do a very good job of gathering the facts. But until they all are available, this is what we have to go on, and it makes the feds, idiot small town newspapers, and a certain sysadmin, look bad.
The way we make laws is a security flaw (Score:3, Interesting)
--Blair
"Democracy is a wonderful thing. I wish we had some."
Re:Not the whole story... (Score:2, Interesting)
LinuxFreak:
The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.
Oklahoman News:
Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.
The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.
Hmmm. Oklahoma news vs. Linuxfreak on a technical issue
Let's canonize him. Seriously. Next you'll be telling me that accessing
Let's adopt the same philosophy the FBI and the prosecutors have - if we are wrong about this one, they are guilty ten other times that we can't prove. I don't have any problem treating them like they treat others!
Uh, this is news? (Score:1, Interesting)
Death of a hobby (Score:2, Interesting)
You try doing chemistry as a hobby at home today you will find yourself in jail. Even if you never make any drugs or bombs, it will be assumed that you are making drugs and bombs. The possession of any chemicals which could conceivably be used for making drugs or explosives will be taken as evidence that you are making drugs and explosives - even if you aren't. Even if you have careful notebooks which explain what you're doing, it won't help you. People have been sent to prison for possession of three-necked flasks and triple-beam scales!
Computer security has, I think, gone the way of chemistry. Don't do it at home! I am by nature a paranoid person - perhaps this is to compensate for my lack of ability to "read" people and take hints - it would never occur to me to do any white-hatting and give my real name. I would have notified the newspaper jerks by email from an anonymous terminal or by disposable calling card from a payphone. The boy in this case should have told his boss at his company, and let his company decide whether to call or not. Instead, he goes off and gives the impression that he goes around finding holes in systems, on his own, all the time! If security is your hobby, go and get a job at an actual security company and do it full time. Or don't do it at all.
Re:Donations...( I *do* know him ) (Score:5, Interesting)
If he's guilty of anything perhaps it's a bit of overexuberance and a naive belief in the goodwill of others towards "Good Samaritans" in reporting the problem, but last I checked my moral compass, those aren't worth of a *FEDERAL FELONY* conviction.
I donated to Brian's cause, because a support technician for a local ISP in OK, he doesn't have thousands of dollars stashed away to cover the costs of a lawyer in a federal criminal case ( which this has suddenly become ).
If you don't believe in this case, donate to the EFF [eff.org] instead.
Parallel Senarios... (Score:3, Interesting)
Police: "Stay there for a while sir and watch things until we arive."
<I>15 Minutes later...</I>
Passer-by: "I'm glad you made it. I was getting tired and..."
Police: "You're under arrest for theft and breaking and entering."
Yea, that makes a lot of sense.
Re:wierd tactic - details of Title 18 Section 1039 (Score:3, Interesting)
Along the same lines, could weather or not a computer is protected be established by how difficult it was to gain access? Perhaps the computer could be said to be not ptotected because the guy didn't have to take any special measures to gain access (except click the 'edit' button in FrontPage. This is a legal question and not one I have the answer to.
--CTH
Re:Has common sense become less common? (Score:2, Interesting)
Or, a better example. After closing hours, you are walking down the street. Your shoelace becomes untied, and you lean up against a storefront, to tie it. Oops, but the door isn't latched, and you tumble inside. Now, do you rush off, and never get caught? This guy didn't.
Do you do like some do, write a small note, and place it inside (the analogy would mean leaving a webadmin.html with the info), which while technically illegal is still in good faith? This guy didn't.
He calls them up on the phone, and informed them of the security flaw. He didn't publicize it, thereby inviting script kiddies. His access is something that is publically and technically acceptable, and he didn't even take a single step beyond it. He acted in good faith, even though competitively he shouldn't have aided the competition, nor was he obligated to do so, ethically or legally.
The only real crime here, is being committed by the prosecutor. He should be charged with false proseuction, and if there is no law for that, treason. Subverting the laws of this country, and attempting to convict someone even though you know them to be innocent, is certainly treasonous. Plus, treason allows for the death penalty, if I'm not mistaken, a just punishment and excellent deterrent.
Reporting a security problem (Score:2, Interesting)
- when I recently subscribed online to an ISP, all the data was sent to one of the employees. That employee was probably responsible for billing.
- I could read
- I could read ALL MAIL BOXES using browser and my dial-in password. That included mail box of that employee. I found credit card numbers of 4 other people there.
- I could CHANGE ALL MAIL BOXES with ftp.
I also found what account was used to read e-mail with my credit card number.
I sent an email to the boss (I found who the boss was by looking in the employees' emails) and there was no reply. Then I edited the mail box of the billing employee ("I am interrupting your reading to inform you about such and such problems...").
Only then they fixed it. Oh, and I talked to the sysadmin, and he did not know what is sticky bit.
Now: should I rot in jail?
FBI should have powers taken away (Score:2, Interesting)
At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked
I can just picture this situation, these FBI agents were probably sitting there thinking "wow, this hacker dude is hacking into the site right in front of us, we've really got him now. This is too easy!".
Seriously, if an organization such as the FBI doesn't even have the know-how to tell the difference between "hacking malicously" and "letting a company know they have a security problem", then their authority should be taken away from them - unless they can prove they actually know what they are doing - otherwise, we have a serious problem. You can't give someone so much authority and power to investigate crime when they know little to nothing about what they are supposed to be investigating. Thats scary.
Re:Well, what did YOU do ? (Score:2, Interesting)
Two weeks later, I get this big mannila envelope with a little four line form letter thanking me for my interest in the case and this huge packet of press clipings regarding the case. Ever since then, every week like clockwork I get this huge packet of clipings in a big mannila envelope from Don.
I have no idea what I accomplished in writing in the first place. I guess it's better than nothing. I didn't really expect the representative to call up thanking me for pointing out the case and asking me out to dinner to discuss it further.
Did any of you write your congressmen and get some different responce?
Federal Agencies Go Hog Wild? (Score:2, Interesting)
This story has made me think "maybe the FBI are all crazy
"Oh, you think your innocent of the charges? Well, that can be decided in court... welcome to the concept of innocent until proven guilty".
I'm sure that the federal officers involved in this situation were thinking "if this guy didn't really hack, but honestly found this misconfiguration by mistake, his attorney will argue it in court and he'll walk".
FAIR ENOUGH? Simply inditing someone doesn't mean their definately going to jail, but they get inconvienced to the max. $10K to prove you're innocent? More than a year of your life filled with stress, wondering if you are going to spend a few more years under probation or even jail?
I'm sorry, but that is crap. Just because these feds didn't know jack about the situation (I can only conclude that the didn't fully understand the situation as anyone that does understand the problem wouldn't want this guy prosectuted) this good samaritan goes down.
And no, I am not anti-American. Federal law enforcement in Australia isn't too far behind. Prosecution hungry feds like to run amuck here too.
Re:Has common sense become less common? (Score:1, Interesting)
If you don't like the news, then change it. (Score:1, Interesting)
Local:
"Mishap at Water Treatment Plant poisons city water supply, tap water now flammable, shut off all water valves!"
Election '01:
* Candidiate for Mayor Observed Molesting Boy Scouts
* Police Chief says "No more black crime", ordered 100 ropes, having them attached to lampposts by Dept of Public Works.
Business:
"New Company Releases New Product, Stock Prices Shooting Up, Wall Street Analysts say 'Buy Now'"
Or just randomly deface the pages:
"All Your Base Are Belong To Us!"
"LIMP BISKIT F&*&IN RULES!!!!!!!"
Or actual stories may be modified in ways not apparent. A city council meeting is reported "cancelled" and less people show up.
People running for public office occasionally overstep the bounds of the law. Possible this would include modifying a news website just prior to election? Possible an elected offical would know how to contact someone with the skills to do so and pay them to do it anonymously and untraceably?
When reading the news on a web site, can no longer assume it was not modified without the news organizations knowledge. In fact a news URL may be as bogus as a chain letter. When a security breach is publicized some readers may lose faith in that website and try the competition's web site.
Do newspapers firewall their web servers from the machines the stories are composed on? If not it is possible the content of the PRINT edition could be messed with. And whatever is printed in the paper it must be true.