Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
United States

Report Security Problems, Face The Consequences 552

Posted by timothy from the maybe-he-should-just-edit-the-page dept.
An Anonymous Coward writes: "Doing a good deed has caused one man a lot of trouble in the past year. Brian K. West, a tech support junky in a SE. Oklahoman ISP is now facing felony charges due to alerting his competition about a serious security flaw in their systems. The full story can be found at LinuxFreak.org ... I find this rather disturbing that our federal government would do such a thing to someone.." The details of the story lead to some head-scratching.
This discussion has been archived. No new comments can be posted.

Report Security Problems, Face The Consequences More

Report Security Problems, Face The Consequences

Comments Filter:

  • Interesting Tactic (Score:5, Funny)

    by zpengo ( 99887 ) on Saturday August 18, 2001 @01:14PM (#2172377) Homepage
    Competition: "Oh, there is? Really? How does it...? Oh, geez that's really bad. It does that too!? You're joking? Wow, we'll get on that right away." (Hangs up phone and calls police.)

    PHB: "Good work, Johnson! That'll show 'em!"

    Naked Woman Seeks Sex at Airport [slant-six.org]

    • One item not mentioned in the article is the details of Title 18 Section 1030 [cornell.edu] which pertains to 'Fraud and related activity in connection with computers'. Under this statute, mere access to protected computers owned by the federal government is a criminal offense, and access with intent to cause damage or defraud are offenses, but this cuy hasn't commited any of these offenses. The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.

      The problem with prosecuting under this theory is that as far as I can tell (and the article doesn't really say either way) accessing the computer hosting the newspaper website was not done across state lines (thus affecting interstate commerce - which is why this clause can exist in the US COde at all). Does anyone know weather access to the newspaper website was done across state lines? It doesn't look like it to me.

      --CTH

      • Re:wierd tactic - details of Title 18 Section 1039 (Score:4, Insightful)

        by Anonymous Coward on Saturday August 18, 2001 @03:16PM (#2172896)
        hillct wrote:
        The only offense he might have committed it is detailed in subsection A, Paragraph 2C, which states "[Whoever accesses] information from any protected computer if the conduct involved an interstate or foreign communication;" such action would be considered an offense under this statute.


        Your point about state lines aside, the words "protected computer" jumps out at me. From what I've read, I can only draw the conclusion that the computer is not protected and that, in fact, the suspect in this case was contacting the other company to inform them of this fact. Sounds to me like this FBI team are just looking for something to do to justify their existence.
        • The previous poster (the AC) makes a vary good point. At what level should a computer be considered protected? IS a computer considered protected if there is simply the capability to set a password but none is set, or does there have to be an overt act by the administrator to attempt to protect a computer (like set a password, or read the manual or something).

          Along the same lines, could weather or not a computer is protected be established by how difficult it was to gain access? Perhaps the computer could be said to be not ptotected because the guy didn't have to take any special measures to gain access (except click the 'edit' button in FrontPage. This is a legal question and not one I have the answer to.

          --CTH

  • this is not a new thing (Score:3, Insightful)

    by Emugamer ( 143719 ) on Saturday August 18, 2001 @01:15PM (#2172384) Homepage Journal
    whisle blowers have been prosecuted and prosecuted for a long long time..... why do you think we would be immune to the norms of society?

    • Re:this is not a new thing (Score:3, Informative)

      by Anonymous Coward



      Even big stupid companies [theregister.co.uk] do it!

      Whistleblowers take 3Com to court over unsafe kit claim
      By: John LeydenPosted: 15/02/2001 at 18:43 GMT


      3Com is facing a multi-million dollar lawsuit from former employees claiming it knowingly sold unsafe products and conspired to file false police reports against them when they reported problems with its kit.

  • yeah (Score:2, Insightful)

    by vectus ( 193351 )
    That's why I never do anyone good deads.. they just bitch and complain


    But seriously, this guy deserves a medal, not time in jail, or fines. If a worker at a car company knew of a serious fault in another companies car, and didn't come forward, he would be guilty of murder (assuming people died from the flaw). If this guy didn't come forward, he would be partially responsible for the damage caused by the security flaw.


    I doubt this case will go that far, though.. I just wish the government would realize how fucking stupid they are being.

  • Depends.. (Score:5, Insightful)

    by dj28 ( 212815 ) on Saturday August 18, 2001 @01:20PM (#2172396)
    It says in the article that he 'tested' the secure hole to make sure it was indeed a security hole. It depends on what he did to that site during that 'testing'. If he did something illegal, then they are going to bust him down in court for that.

    • Re:Depends.. (Score:3, Insightful)

      by GoofyBoy ( 44399 )
      Thats pretty sad that the FBI thinks they have a case based on this.

      Doesn't his intent count for anything?

      If think a ground floor window is unlocked, should I just talk to the homeowner or should I least verify it?
      • It's not at all surprising, though.

        I have met the FBI's "top computer expert" special agent in Oklahoma. He is probably a good cop, but he doesn't know shit about computers.

        He asked for my card as a technical resource, but then I left that company (another SE Oklahoma ISP, as it happens, that doesn't have a lot of overlap with the two in this story) and I never heard from him.
    • What I do to test a hole like this is to create a small, new test page that is disconnected from the site, and upload it. Then, I may add a comment to some random HTML file burried in the site (something like a "hello world" comment at the top of the page) and try to replace an existing HTML file. Then, I try to delete the file I created in step one.

      None of these changes alter the appearance of the web site, but they test if you can upload, change and delete a file on the server.

      As to if this is illegal or not, one element of determining if something marginal like this is illegal is intent. This is akin to noticing if the lock on a gate is broken--you may wind up crossing a few inches inside the gate to determine if the door opens inward, so technically you are tresspassing. But only the most anal DA would try to have you put in jail for crossing six inches into someone else's property to check a gate latch that you then promptly warn them about.

    • Re:Depends.. (Score:3, Insightful)

      by werdna ( 39029 )
      The great difficulty derives from the outrageously broad language in the Computer Fraud and Abuse Act and in the Stored Communications Act. Virtually every meaningful access of information to or from a computer without authority can be a basis for screaming crime, with just a few technicalities. Indeed, its nasty even in a civil context.

      One incredibly important thing to take away from this communication is that if you are ever actually asked to do any kind of security audit, get a plenary release in writing that ANYTHING you do is authorized. If they don't want to do that, consult a lawyer who knows this area before you even begin to think about doing the gig. -- Its amazing how many accesses become "unauthorized" after the fact, depending upon the interests or politics of the day. Don't let this happen to you.

  • He's a witch... (Score:3, Funny)

    by doorbot.com ( 184378 ) on Saturday August 18, 2001 @01:20PM (#2172397) Journal
    ...burn him!
  • The bottom line is, with all the FUD in the media nowadays (CR, Sircam, etc..), anyone who finds a flaw in some type of system is gonna get shafted, period.

    The only thing I see as a possible remedy to this is for people to actually start using all those anonymous remailers that are floatin' around, otherwise, be prepared to get bent over for trying to be helpful. I can relate to this personally, the only good thing about it is that I only got fired, not arrested. But how much more BS are people going to take before they start to take a stand against this kind of crap?

  • Donations... (Score:5, Informative)

    by hexx ( 108181 ) on Saturday August 18, 2001 @01:24PM (#2172412)
    Do Something About This! [paypal.com]
    • I suggest that before contributing to this defense fund, you learn a little more about the case. Go here [bkw.org] and check out the Oklahoman News piece. There seems to be a few discrepencies [slashdot.org] between what West says happened, and what server logs are reporting.

      • Re:Donations... (Score:2, Insightful)

        by Eryq ( 313869 )
        The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1.

        It doesn't say that all of them came from Brian West, does it? I'll bet a bunch of them were just Code Red....

        The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

        Like what? index.html? Or dir.gif? favicon.ico? Or maybe 4 shift-reloads of a page with 50 gifs?

        I have yet to hear any sane theory as to why Brian would intentionally probe a website -- knowing that his accesses would be in the server logs -- only to phone them up and say that they have a security weakness. What would his motive be?

        Occam's Razor applies. The simplest explanation is Brian's. Even if he was probing for weaknesses, he still did the right thing when he found them.

        • Re:Donations... (Score:3, Insightful)

          by szcx ( 81006 )
          I have yet to hear any sane theory as to why Brian would intentionally probe a website
          Want to play with Occam's Razor? How about this; Brian works for Cwis, he cracked the website then contacted the Poteau Daily News to "rescue" them from the incompetence of his competitor, Cyberlink.

          I'm not saying that's what happened, just that you can't be sure that it's not what happened. People need to find out as much as they can from both sides of the fence before contributing to a "defense fund".

    • How exactly do we know that this paypal account is valid, eh? I could make a killing by taking 5 minutes to set up an account and then posting on Slashdot (because, of course, such noble activism certain warrants enough +1s to bring it to the top of the comments). Brilliant scheme, no?

      Naked Woman Seeks Sex at Airport [slant-six.org]

    • Also, for those who are adverse to PayPal, there is an Amazon Honor System account setup as well.

      http://www.amazon.com/paypage/P3EMCVKJQX404O [amazon.com]

      I just donated. You should too.

  • The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the 'main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.

    I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.
    • I'd be tempted to call this entrapment...except for the fact that he didn't actually commit a crime.

      And THAT is exactly what is wrong with this case. He commited no crime but they'll create a law and set some evil precident to make sure that what he did is in fact punishable by law.

      Wasn't long ago that somewhere over in Europe someone discovered that one of those wired park benches allowed long distance for free, at Microsoft's expense? When those guys reported it, did THEY get arrested? No? Why?

      Because Justice is supposed to protect people, not relentlessly punish.

      Our system is screwed up pretty good. With laws and courts like these here in the US, who needs foriegn enemies?
  • I don't know how, but I'm pretty sure that 'violating the DMCA' will eventually come up as the charge.
    • I'm pretty sure that this has nothing to do with the Digital Millenium Copyright Act. In this case, the FBI seemed to be quite devious, not stupid. What does this have to do with Copyright violation? Nothing, since with the security whole it would be easier to deface intellectual property. Maybe you should consider spending some time away from Slashdot for a bit : ) Not every dumb government action is because of the DMCA, after all.

  • Important lesson (Score:5, Insightful)

    by MeowMeow Jones ( 233640 ) on Saturday August 18, 2001 @01:29PM (#2172435)
    Talk to the techs.

    Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

    • Re:Important lesson (Score:3, Interesting)

      by atheos ( 192468 )
      It appears to me that he didn't want to inform the security flaw to the competing ISP.
      It looks to me like he simply wanted to sway the customers over to his company, and use the security flaw for the reason.
      ya ya ya, I'll get modded down for this, but I do think there is more to the story.
      He should have contacted the other company, and the FBI should do better things with their time.

    • Way too often, you get hold of someone incompetent. When that happens, more likely they realize they're in over their heads and that their fanny is showing and it needs to be covered up. I've dealt with webmasters and sysadmins before, and usually things don't get taken care of. But in the cases where I was able to get hold of someone in management that gives a damn (even if he isn't a techie) things do usually get taken care of and often quite quickly. So in the current (sad) state of affairs, if you can get hold of someone higher up in management that can at least understand that their is a problem, that is the best way to do it. I do realize that may come down hard on someone at the bottom who may simply have made a typographical error. But in the majority of cases I've encountered, were I the management in charge with what I know about these things, at least one head would roll.

    • Nah, just mention it in #h4k3rz or something. Let the problem work itself out.

    • Re:Important lesson (Score:2, Insightful)

      by Faies ( 248065 )

      Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster?


      If I were this guy, I would talk to the editor-in-chief rather than the techies working on the webpage in the first place. If no authentication is needed, the webmaster may not have been using a password him/herself. Since it would appear that no effort had been made to secure the page, then I would think the webmaster was slightly on the incompetent side and report it directly to somebody who might oversee the webmaster instead.

    • Wrong Lesson (Score:5, Insightful)

      by fm6 ( 162816 ) on Saturday August 18, 2001 @04:02PM (#2173041) Homepage Journal
      Why would you call an editor-in-chief who has no experience with computers instead of, I don't know, say emailing the webmaster? Contacting someone at the hosting company?

      Totally wrong. Somebody who knows the technology must have been involved even before the called in the FBI. And I'm sure the FBI and the U.S. Attorney also have technical experts.

      Undoubtedly Cyberlink has a policy of referring all security breaches with to the authorities. They probably call it "zero tolerance" or whatever the get-tough buzzword is this week.

      Common sense says that West behaved responsibly. He inflicted no actual harm on the Daily News web opeation, and indeed probably saved them some down time, or worse.

      Unfortunately, common sense is not relevent here. When somebody gets caught in a technical violation of the computer security laws (even when the violation is matter of interpretation, as in this case), the authorities have every motivation to "send a message" and go after the "culprit". Brian West's criminal intent, or lack of it, is simply not to be considered.

      The ultimate safeguard is supposed to be the trial jury, which would presumably see that Brian is anything but a criminal. But in order to avail himself of that safeguard, Brian has to expend all his financial resources in an expensive trial.

      So the U.S. attorney offers Brian a plea agreement involving no jail time. Brian gets to walk away with some of his finances intact, and the feds get to chalk up a conviction. Everybody's a winner.

      Outragous? Yeah, some people would say so. Stupid? No argument from me. Counterproductive? Actually making things worse? Absolutely. Unprecedented? You've got to be kidding. This is the way the justice system works, and this sort of thing happens every day.

      I've long had a policy of never reporting security breaches, unless the victim is somebody I know and trust. I've had brushes with the "shoot the messenger" mentality before, though never anything as nasty as this. I'm not suprised, but it's a little chilling to see my worst fears so thoroughly confirmed.

  • Not the whole story... (Score:5, Interesting)

    by szcx ( 81006 ) on Saturday August 18, 2001 @01:36PM (#2172464)
    LinuxFreak:
    The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.
    Oklahoman News:
    Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

    The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.

    With that in mind, let's not canonize Brian West just yet.

    • Re:Not the whole story... (Score:5, Informative)

      by Anonymous Coward on Saturday August 18, 2001 @01:51PM (#2172529)
      I know the guy in question on this situation and he didn't do anything malicious. I was talking with him on IRC at the time he found the problem and since he isn't an NT type he didn't quite undrestand what had happened. You can pull up one webpage and get dozens of listings in a log file with all the pictures, etc ... so the hundreds of attempts makes it sound worse than it really is. He did access directories on the site that operate it (they have a perl script so they can enter articles/changes via a web interface) just to see if it would allow him access to places that should have required additional passwords (not just the front page password) and sure enough it did. Nothing on the website was modified or any files changed or anything malicious. They're also claiming that this news perl script he accessed was worth $5,000 because that's the limit to get a federal prosecution.
    • Read the comments below the linuxfreak article. Brian explains it in a bit more detail. He did use a username/password, but he got it from a file served to the public from their site.

      And I think that the "hundreds of attempts" mentioned is just their normal daily load (their advertising claims to reach "over 1000" readers daily, and this is over a year later, right?). And if only *some* were trying to access these files and scripts, why even bother mentioning "hundreds of attempts" - that number is irrelevant!

      Basically, he did a bit more than click on "edit," but it sounds like he really did just find the hole and check to be sure.

    • LinuxFreak:

      The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password.

      Oklahoman News:

      Burchett told authorities that West said he accessed the web site by obtaining user names and passwords.

      The newspaper said its user logs indicated hundreds of attempts to contact the web site Feb. 1. The affadavit said many of the attempts were efforts to access the files and scripts that cause the web site to operate.


      Hmmm. Oklahoma news vs. Linuxfreak on a technical issue ... and Oklahoma News reports what 'Burchette said' instead of what happened. Big surprise. Are you serious? Are you stupid? or perhaps your just not thinking.

      Let's canonize him. Seriously. Next you'll be telling me that accessing /etc/passwd constitutes a cracking attempt!

      Let's adopt the same philosophy the FBI and the prosecutors have - if we are wrong about this one, they are guilty ten other times that we can't prove. I don't have any problem treating them like they treat others!
    • I live in OK. Never trust what the Oklahoman says. It has been judged one of the WORST newspapers in America (http://www.cjr.org/year/99/1/worst.asp). They are racist, homophobic, and very skewed on all their reporting.
  • Two months ago, my firewall reported a scan from an IP...I was bored, so I checked it out and it looked like a home computer...on a hunch, I tried mapping to the \\www.xxx.yyy.zzz\c share with no password.

    It was infected by a trojan that replicates off of unprotected C drive shares in Windows...I was looking at his C drive...and I thought about replacing everything on his desktop except for a note telling him he was infected with a trojan and his HD was open to the world.

    Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

    "I've never been to Vegas, but I've gambled all my life" - Ryan Adams

    • God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

      Damn right. And you would deserve to be prosecuted. I'd have no hesitation on throwing your ass into court.

      Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer. Chances are you would fuck something up while trying to "help me".

      Just like you wouldn't walk into someone's house just because they forgot to lock the door, there should be zero tolerance for people breaking into computers for whatever motive. The "hacker ethic" that it's OK to break into people's property for "learning purposes" or "curiosity" must be put to cold, hard death.

      • Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer.

        And if your computer is like a runaway train, screwing things up for everyone else? And if you are a clueless Win2k PC owner who has been 0wned for weeks and still hasn't read about Code Red or applied patches? And your PC is attacking everyone else around you, repeatedly? I such a situation, I think you should lose just a bit of protection.

        An infected computer is sort of a "public health" issue. It's like having the house next door on fire... I think you should be able to throw water on it. Or at *least* go tell the owner what's up.

        But I can't do even that. I can't email the chump at 65.3.142.xx because he doesn't have a domain name. And the ISP isn't doing anything, so how can we help this person to clean up their mess?

        The "hacker ethic" that it's OK to break into people's property for "learning purposes" or "curiosity" must be put to cold, hard death.

        Agreed. But...

        It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.

        Unfortunately, we will have to wait until today's Nintendo generation is in office before such laws have any chance of being introduced. If my mom is only now coming to grasp PPP connections, how can I expect people of similar age and experience in the legislature to understand things like the Code Red virus? All they know is "computers scary."
        • It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.

          I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely. I have got countless Code Red probes in my Apache logs and have seriously thought about trying to warn those people (it's just there are too many of those).
          There's no way that could be illegal.

          I won't be trying to "verify" if the root.exe exploit is available on those machines, since that could give me some serious trouble of someone were to pursue a claim against me.
          No matter what my intentions are, that would be gaining unlawful access to someone else's machine.

          The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.

          Suppose a server I am sysadmin of has a security hole. You're trying to help me and being a white hat hacker you enter my machine and take a good look around and after doing so you create a nice summary of problems and even the necessary fixes.

          At first sight, that really is commendable.

          However, since I don't know you or your intentions can I safely assume you ment no harm and did no evil things to my machine? Should I take your word for it? For all I know you're just helping me to patch up my machine so no other evil hackers get in and you are the only one that is able to get into my now mostly-secure-but-now-backdoored-machine.

          The consequence of you trying to help me is that I would have to retrace all your actions on my machine, which might not have been necessary if you didn't try to "help" me by gaining access to my machine without getting asking me in advance.
          Surely I'd have to do a full security audit anyway, but now there is more information in the logs to be checked out.

          No matter what your intentions are and how stupidly I misconfigured my machine, your attempt to help me just cost me a whole lot of extra time and downtime.

          Informing people is fine and totally legal. Gaining access to their machines without their consent is illegal and rightfully so, as far as I'm converned.

          The law I would like to see is one that holds people accountable for problems caused by those people not securing their machines (Code Red anyone... think of all the bandwidth wasted by that little prank). Better still, don't make it a law, ISPs could take it up in their conditions they are allowed to pull the plug when such problems aren't fixed within a certain period!



      • Damn right. And you would deserve to be prosecuted. I'd have no hesitation on throwing your ass into court.

        Bottom line, I don't want you or ANYONE regardless of their intentions modifying my computer. Chances are you would fuck something up while trying to "help me".

        Just like you wouldn't walk into someone's house just because they forgot to lock the door, there should be zero tolerance for people breaking into computers for whatever motive.



        Excuse me, but I don't recall having observed my neighbor's house walking over to my house and checking to see if the front door was locked, or tampering with the locks so that other intruders can get in, then causing my house to behave in the same way.



        I think I can safely say that if I saw your house walk over to my house and start jiggling the locks, your house would be toast.

    • Two months ago, my caller ID reported a call from a number. I was bored, so I checked it out and it looked like a home number. On a hunch, I looked him up in the cross-reference directory and went to his house.

      He'd left his door unlocked, and I was looking at his living room. I thought about leaving a note on his TV telling him he left his door unlocked and his house was open to the world.

      Thank God I wised up...He could have had me prosecuted!!!! God I'm so starting to hate the government.

  • I once did something like this...But won't again! (Score:5, Interesting)

    by tjgrant ( 108530 ) <tjg.craigelachie@org> on Saturday August 18, 2001 @01:42PM (#2172496) Homepage

    Shortly after we got our first T1 connection a few years back, we saw a bunch of strange computers show up in our network neighbourhood, This puzzled me, so I clicked on one of the computers and found out that it had a bunch of shares available. Sure enough, the shares were wide open. I didn't quite no how to respond, so I waited a day to see if the problem went away. It didn't.

    I figured that if I could see the shares other people could to, so I opened a share and started looking for a document name that might give me a clue as to who was unwittingly making all this stuff available. I found a document called "Letterhead" or something like that, opened it up, and found a company name and number. I then called the company and told them what I had found.

    They too had just gotten a connection, and the consultant that was in charge of configuring the firewall had not done things very effectively. The lady I spoke with was profusely thankful, and the problem was remedied in short order.

    However, after reading this article, I'd probably just add some rules to my own firewall to stop their packets and leave it alone.

    • Re:I once did something like this...But won't agai (Score:4, Insightful)

      by snakecoder ( 235259 ) on Saturday August 18, 2001 @02:20PM (#2172672)
      A co-worker of mine found a strange machine on a corporate housing DSL network. Turned out to be a CEO of a consulting firm. My friend did poke around and noticed what could have been sensitive documents. He also was able to look at this individuals cookies. He was not able to find the guys e-mail directly so he contacted the company instead. The CEO called him directly, thanked him and offered to take him to dinner.

      The big question is, would this guy have been as greatful if he knew the methods my co-worker used to figure out who he was? It's a fine line. Maybe being an anonymous good samaritan would be the better route.

  • What to do? (Score:5, Interesting)

    by yogensha ( 181588 ) on Saturday August 18, 2001 @01:43PM (#2172497) Homepage
    So say I've found a security hole in a web site that I happen to pay to get access to... I look around a bit and find my credit card and contact information. What to I do then? Do I report the issue and get prosecuted, or do I not report the issue and leave my personal information open for anybody to see?

    This is a crappy situation.

    • Re:What to do? (Score:3, Insightful)

      by SCHecklerX ( 229973 )
      Sue them for giving your private credit information to everybody in the world.


      Or better yet, contact the FBI and let them take care of it, even if a phone call to a competent admin could have fixed the problem.


  • ...never be a good samaritan, because no one will appreciate your efforts.



    Imagine this conversation in your street:



    Guy 1: "Hey neighbour, you've left your front door wide open and I think the local hoods are eyeing over your TV and VCR system."



    Guy 2: "What? You say you saw my front door open? How did that happen? I couldn't have left it open, not me. You opened it, right? I'm calling the cops buddy."



    Only in America.


  • tragic, but not surprising. (Score:5, Insightful)

    by Anonymous Admin ( 304403 ) on Saturday August 18, 2001 @01:50PM (#2172527)
    FBI goons play friendly while gathering evidence.
    Only those things that can be used against you are considered.
    Where is there news here?

    I have made it a point to NEVER, under any circumstances, connect to any service beyond web pages linked by their own site, without written permission of the owner, on their corporate letterhead.

    Exposing security problems is considered to be a nasty evil thing. Dont do it. Let them be hacked. Do not do it yourself. If you accidently find a hole, dont access it, Dont tell others of its existance, just go on about your own business.

    You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it.
    • "You, a computer knowledgable person, represent a good tasty meal for the FBI's new computer crime group. They must somehow prove their worth to congress. You provide them with opportunity by providing a community service. Dont provide it."

      Yep, that's exactly what you are doing by helping them out. If we, as a profession, quit making victims of ourselves, the problem will take care of it'self. For one thing, the government is as likely as incompetent with computer security as it is with almost everything else it does (such as deliver mail). What it's VERY efficient at, unfortunately, is using force, and at manufacturing crime for profit (drug war).

      Remember, FBI and other law enforcement types are trained and propogandized to believe the WORST about us. Don't play into their hands. I know I'm sounding off the deep end on this, but with our government UNANIMOUSLY rubber stamping laws like the DMCA, why should anyone be surprised at ALL that they will do such things even to those of us who try to, GOD FORBID, do someone a favor?

      The only mistake this guy made was in not demanding $thousands up front as a "CONsultant" from the site in question.

  • It's sad indeed that in 2001 America, we've seen truth in the old adage "no good deed goes unpunished".

    I suppose in today's legal climate, the only way to treat your neighbor is callousness, at least, and stay out of jail. Help your neighbor, get 1-5 years.

    My suggestion to all those who are admins/coders/hackers/engineers, keep it to yourselves. I suppose we'll secure our systems, and let the government and the rest fall prey to script kiddies and our silence until they learn the Darwinian lesson of the consequences of their stupid 21st Century "digital age" laws.

  • No good deed goes unpunished (Score:4, Interesting)

    by YIAAL ( 129110 ) on Saturday August 18, 2001 @01:52PM (#2172538) Homepage
    This shows the lack of judgment that has become endemic in federal law enforcement. The Cato Institute [cato.org] has been arguing for quite a while that the massive increases in federal law enforcement budgets over the past fifteeen years, with no matching increase in crime, would encourage the feds to prosecute things that they previously would have had the sense to ignore, just to make work. Seems to be happening.
  • The story went into no details on what he did besides click 'edit' to compromise the site? It didn't actually state what he was formally charged with other than mentioning 'wire fraud' which could have a wide varying set of meanings. As part of being in this community I think it's up to us to dig and find more information before making rash decisions. After all, aren't we criticizing the FBI for their, apparent, rash decisions?

  • part of the problem is incompetent sysadmin (Score:5, Interesting)

    by Skapare ( 16644 ) on Saturday August 18, 2001 @01:56PM (#2172560) Homepage

    My first encounter with an incompetent sysadmin came many years ago when I was compiling an index of files located on public FTP servers. This was even before the Archie indexing system was set up. I gathered lists of servers from Usenet and ran an indexer on them. The indexes were made available by FTP. The indexes were re-run about weekly. There were about 4 FTP sites at JPL in the list. I received a threatening letter from a sysadmin at JPL "informing" me that I was accessing a "secure government computer without authorization". Secure my ass! It was wide open, had files of clearly public interest, had no files I could tell from their names (since I didn't actually download any) would be anything confidential or secret, and was advertised as a public server on Usenet. After a few exchanges of email with this sysadmin, it became apparent that he was not only totally incompetent and utterly inept, he wouldn't even lift a finger to even try to fix his security problem. Were it not for the fact that its often very hard to get rid of the incompetent in government, I would have tried to get this guy fired. Of course today it would only get me arrested. I did remove that server from the list. If only there had been a slashdot in those days, but there wasn't even a web.

    The law is today basically covering up for administrator incompetence. An administrator mistake that leaves a site insecure is one thing. But trying to cover up the mistake, or otherwise avoid doing the job ... is what is the indicator of the incompetence. We know about the bug in IIS that spawned life to a red worm. Microsoft even fixed it well before the worm started. The two Microsoft admin types I know had their servers all patched up and secure before the worm ever hit. But clearly there are hundreds of thousands of servers run by the incompetent.

  • Something similiar happened to me (Score:5, Interesting)

    by Kiwi ( 5214 ) on Saturday August 18, 2001 @01:57PM (#2172562) Homepage Journal
    A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

    The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

    About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

    Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

    Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

    At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

    Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

    Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).

    - Sam

  • Something similiar happened to me (Score:3, Interesting)

    by Kiwi ( 5214 ) on Saturday August 18, 2001 @01:59PM (#2172577) Homepage Journal
    (Sorry about the blank comment. The new Slashdot code is still really buggy)

    A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

    The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram [counterpane.com] (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

    About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

    Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

    Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

    At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

    Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

    Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help [grc.com] (scrool down to the section where he describes his dealing with the FBI).

    - Sam

  • Well, what did YOU do ? (Score:5, Insightful)

    by aibrahim ( 59031 ) <slashmailNO@SPAMzenera.com> on Saturday August 18, 2001 @02:10PM (#2172624) Homepage Journal
    I emailed the DOJ, President, VP, My US Senators and Oklahoma Senators about this case asking them to look into it. Here is the message I sent:
    I read about a case regarding Brian K. West in Southeast Oklahoma at:

    http://www.linuxfreak.org/post.php/08/17/2001/134. html

    If the information contained therein is correct, then there is already a SERIOUS miscarriage of justice going on.

    Is it the policy of the United States , the Bush Administration and the Department of Justice to prosecute well intentioned citizens for attempting to help a stranger in an entirely benign manner ?

    Would the DOJ prefer that the editor never have been notified about the security issue accessible through routine use of Microsoft software ?

    What about the implication for other "good samaritan" acts ? Does the DOJ intend to set a precedent allowing any confused person to prosecute and/or sue anyone who helps them ?

    I call on the DOJ to investigate the legal and technical competence of the attorney and law enforcement personnel in this matter.


    Feel free to copy this and send it off if you like. With luck, either the DOJ will quit, or we'll get a better explanation. Hopefully we can create an awareness that VOTERS ae watching what happens in these matters, and that we expect reasonable action and competence.

  • Contact Wally Burchett and the Poteau Daily News (Score:3, Informative)

    by pclinger ( 114364 ) on Saturday August 18, 2001 @02:14PM (#2172635) Homepage Journal
    Mr. Wally Burchett has some serious issues, and
    the Poteau Daily News has something coming to them if they think they can get away with this.

    Everyone should start writing letters, call the editor, etc. From their Web site:

    Address:
    Poteau Daily News & Sun
    P.O. Box 1237
    804 N. Broadway
    Poteau, OK 74953

    Office Hours:
    7a.m. - 6p.m. Mon.-Fri.
    8a.m. to Noon Sat.

    Phone Numbers:
    (918) 647-3188
    (918) 647-8198 Fax

    Email:
    pdns@pdns.com
    publisher@pdns.com

    If you write letters, direct them to Mr. Wally Burchett.

    As with all the causes we at /. are for, remember to only write well thought out letters. Don't send "j00 4r3 l4m3r5" letters, they don't help.

    For all the security holes I've pointed out to various sites, if people called the FBI on me I would be in jail for the rest of my life.
  • Ten firemen of the Oklahoma city were arrested early this morning for trespassing.

    The squad alleged they broke into a house because it was burning, and they received an emergency call that said there were people trapped inside it.

    Instead of innocent trapped civilians, they unknowingly tried to rescue undecovered FBI agents.

    The firemen broke the main door and entered into the burning house, when they were immediatelly charged for vandalism, trespassing and attempted burglary.

    They alleged they were trying to save lifes, but this is no excuse to FBI agent Smith, that said:

    "What we are facing here is a very serious crime. The entered the house without written permission from its owner. They work doesn't matter. Or do you think a teller can enter a bank's safe and get money without permission ?"

    If the firemen don't get convicted, then the prosecutor woult try for arson.
    • Actually, the FBI agents weren't trapped inside, they were just debating who would go to jail after one agent pointed out that another's fly was open. Was the person with the lazy zipper a sex offender, or was the person who pointed it out a peeping tom? By the time the firemen got there, the agents had all handcuffed each other to each other. Local police commented that this was obviously some arsonistic sex cult, and that the FBI agents' names should be listed on a public bulletin board. The NSA pointed out that this would unnecesarrily expose the agents, so the cops were arrested. The DoJ brought the case before the Supreme Court and thus was the entire american 'justice' system brought to a halt.

      The firemen, having no one left accusing or prosecuting them, returned to life as usual, and the nation breathed a sigh of relief as good samaritanism was, if not legal, at least accepted again as there was no one to prosecute the cases left.
  • While this individual seems to have done a "good deed" in communicating a security flaw and this pursuit by the feds is excessive, the issue should at least get a fair treatment from both ends. Just imagine the following coversation:

    Concerned Citizen: "Mr. Smith, I'm calling because I noticed that your bedroom blinds are partially open and I can see your wife walking around in the nude. I thought I'd bring this to your attention so you can remedy the situation before more malicious sorts exploit the breach in your window dressings."

    Smith:"Are you sure about this?"

    Concerned Citizen: "Yes sir. Just to be sure, I pulled out my binoculars. I can tell you that your wife has a pierced left nipple and a tattoo of Bugs Bunny on her right butt cheek. Oh, and I'm sorry about your lack of gift. They say that size really doesn't matter anyway..."

    Smith: You bastard!!

  • Since I don't have the cash to contribute right now, I did send an email to the address given at the end of the article. Here is what I wrote:


    Hello,

    I just read about a case involving Brian K. West. The URL is:
    http://www.linuxfreak.org/post.php/08/17/2001/134. html

    From everything that I have read, this person did absoultely nothing
    wrong. I fail to understand why he is being persecuted for simply
    notifying somebody of a *VERY SERIOUS* security hole on a service they
    offer to the entire world.

    Please consider throwing this case out. Mr. West has undoubtedly
    already lost much time, money, and reputation due to this injustice.
    Had he done the same thing for me, I would have immediately sent him a
    message of thanks and IMMEDIATELY secured the site. Aparently, weeks
    after the initial warning that Mr. West was so kind to give the poteau
    daily news website administrator, this hole (really a misconfiguration
    on the administrator's part) still was not closed.

    Allowing frontpage publishing to the entire world is a serious
    potential vulnerability. Doing the same with no authentication
    mechanism is just plain stupid, especially for a news site whose
    integrity is at stake.

    If you would like to see other people's views on this incident, please
    visit:
    http://slashdot.org/article.pl?sid=01/08/18/170259 &mode=thread

    -- greg, webmaster@no.slashdotting.desired

    --
    Greg Spath
    gspath@no.slashotting.desired
    http://no.slashdotting.desired

  • I"m gonna make up an even better story with even less sketchy details about what I actually did and what the cops charged me with, leaving very clear info on how to help donate money to my cause.

    For all of those tempted to donate money, make sure you check out the story first!

  • What about MS? (Score:5, Funny)

    by multicsfan ( 311891 ) on Saturday August 18, 2001 @02:29PM (#2172714)
    Shouldn't MS be a co-defendent as they provided the software used to 'hack' the site? Isn't there something illegal about making tools that are used for 'hacking'?

  • Good samaritan laws (Score:2, Interesting)

    by Mark Bainter ( 2222 )
    Hrm. I think we need updated/slightly modified good samaritan laws to cover this sort of thing. This is even worse than situations GS laws were meant to cover. Currents are if you cause damage accidentally trying to help. He didn't even do that. It's like rescuing a man from drowning and having him sue you for doing so. To quote John Stossel: Give me a break.

  • The way we make laws is a security flaw (Score:3, Interesting)

    by blair1q ( 305137 ) on Saturday August 18, 2001 @02:44PM (#2172779) Journal
    Anyone with a bad idea and enough money can get any nonsense turned into a law.

    --Blair
    "Democracy is a wonderful thing. I wish we had some."

  • Death of a hobby (Score:2, Interesting)

    by Anonymous Coward
    I am a graduate chemistry student. I do chemistry in a laboratory belonging to a University, and order all my supplies from approved companies who, in turn, will not sell to the general public. Old folks tell me that there was a time when one could walk to a drugstore and buy some chemicals! Yes, sir, I'd like some potassium permanganate, some methylene chloride, and some tantalum azide. You do know what you're doing, son, don't you? Yes sir, I do. Okay then, be careful.

    You try doing chemistry as a hobby at home today you will find yourself in jail. Even if you never make any drugs or bombs, it will be assumed that you are making drugs and bombs. The possession of any chemicals which could conceivably be used for making drugs or explosives will be taken as evidence that you are making drugs and explosives - even if you aren't. Even if you have careful notebooks which explain what you're doing, it won't help you. People have been sent to prison for possession of three-necked flasks and triple-beam scales!

    Computer security has, I think, gone the way of chemistry. Don't do it at home! I am by nature a paranoid person - perhaps this is to compensate for my lack of ability to "read" people and take hints - it would never occur to me to do any white-hatting and give my real name. I would have notified the newspaper jerks by email from an anonymous terminal or by disposable calling card from a payphone. The boy in this case should have told his boss at his company, and let his company decide whether to call or not. Instead, he goes off and gives the impression that he goes around finding holes in systems, on his own, all the time! If security is your hobby, go and get a job at an actual security company and do it full time. Or don't do it at all.

  • Many of us have pointed out problems with web sites but few of us have been keelhauled for it. This is a chilling development to think that FBI agents are so eager to be promoted for appearing to be cyber-savvy with such grandstanding symbolic arrest-like-gestures and ISP managers trying to cover their incompetent butts by crucifying a well intentioned guy like this.

    Moral: Stop reporting security holes!

  • Parallel Senarios... (Score:3, Interesting)

    by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Saturday August 18, 2001 @03:21PM (#2172920) Journal
    Passer-by: "Hello, police? Yea, I was driving by KMart when I noticed that the doors have been broken off of the front of the building. You might want to get someone over before the place gets robbed."

    Police: "Stay there for a while sir and watch things until we arive."

    <I>15 Minutes later...</I>

    Passer-by: "I'm glad you made it. I was getting tired and..."

    Police: "You're under arrest for theft and breaking and entering."

    Yea, that makes a lot of sense.

  • Entrapment and other issues. (Score:5, Insightful)

    by Restil ( 31903 ) on Saturday August 18, 2001 @03:40PM (#2172978) Homepage
    First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.

    If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.

    Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.

    All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.

    How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.

    This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.

    As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?

    -Restil
  • When Mr. Burchett called back, he recorded the call and asked for details on the server problem.

    I find it so ironic that geeks and programmers (myself included) are so one-dimensional about life. On the one hand, we spend enormous amounts of time and resources securing machines from outside intrusion, and ridicule those who don't (e.g., Microsoft).

    On the other hand, our entire lives are an open book to any law enforcement agency, businessperson or non-tech professional because we just don't know enough about how life works.

    Here's a clue: don't let an angry guy you don't know record you on the phone! Federal laws are very strict about the legality of recording telephone conversations. If both parties do not agree to the recording, the person doing the recording is commiting a crime.

    Maybe if we secured our own lives as well as we did our servers these problems wouldn't happen to us. Why do we blame the sysadmin if someone breaks his insecure box yet blame the government if they break into his insecure life?

  • He has not been charged! (Score:5, Insightful)

    by small_dick ( 127697 ) on Saturday August 18, 2001 @05:46PM (#2173301)
    Ahem, this man has not been charged with a crime. That means they are blowing smoke -- for now. He does not need an attorney.

    Look, several years ago, I walked near an area where a sexual assault had taken place. The police saw me, and you can imagine what happened. I was a perfect target -- single, no alibi, just walking between two places alone.

    They questioned me, took my info, and left. The next day they started calling me at home and at work, trying to get me to confess, trying to get me to "accept" a lesser charge.

    They stated that if it went to court, they had enough circumstantial evidence to convict me, that if I didn't take the offer, they would go for the most severe charge. I would be in jail for "years", and (obviously) lose my job.

    If I would just confess to a lesser charge, they would "guarantee" no jail time, and no fine. After seven years, it would be like nothing happened, there would be nothing on my record.

    There was just one problem with accepting the blame : I was not the perpetrator; I commited no crime.

    So I was scared. I spent some money on an attorney ($75) and the guy wanted thousands "up front" to "insure my freedom".

    As it turns out, most lawyers are lying bastards. I talked to my Dad's attorney about this, and he started laughing. He said "My God, this is America! You haven't even been charged! They're blowing smoke up your ass to try and get a free conviction for doing no work!"

    He recommended that I call the Detective and state:

    "My attorney and I will surrender to your department when charges are filed, please contact me at that time. I have no intention of fleeing; I would like to avoid the embarrassment of being arrested at my home or place of work".

    Total cost for a real attorney : $0.00

    I was never arrested, charged or contacted again!

    Know your rights! You do not have to speak to the police...you should respect them and answer rudimentary questions with honesty, but once it becomes clear that you are a target of the investigation, stop talking! Simply tell them you intend to turn yourself in when charges are filed.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close