Brian West Update 313
Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
financial gain (Score:2, Offtopic)
It all seemed so clear the first time through... (Score:4, Interesting)
Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
I'm glad the rest of the details came out on this one.
Re:It all seemed so clear the first time through.. (Score:5, Interesting)
Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?
The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.
When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.
It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.
think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.
Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.
I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.
Re:It all seemed so clear the first time through.. (Score:3, Interesting)
Re:It all seemed so clear the first time through.. (Score:2)
Re:They WERE public. (Score:2)
the statement on a web page about authorised access only means we can suee your ass and charge you with a crime - why do you think its there.
This is the sort of rubbish i keep seeing here - simply put there are some answers for you
1. he did not just find the passwords - he spent weeks looking for a way in however he could and this is the one he got.
2. The names and passwords were not on the home page - they were inside the system and he got them after he got in
3.Where did they post login information ? he didnt hack into the webiste he hacked into the server
4. they were his competiton thus he can be deemed as commiting industrial espionage
5. he copied the passwords and logins and the files and gave them away thus he is guilty of dealing in stolen goods
6. It wasnt a public page
7. He didnt get in thru a bad password
8. Posting login is not an invitation as it says on most (and i am sure this web page ) AUTHORISED USERS ONLY - thus if you dont have the right to be there dont login
9. having got in he told the newpspaper editor he had and boasted about it and about hacking a bank (he lied but thats not the point)
in short hes stupid
This is the sort of weak crap that all the script kiddies use - it was there so i had the right - they all use it right up until the minute the FBI arrests then then they claim the freedom of the EFF and open source etc - trust me these people dont give a fuck about any of this - they are out (as this guy was) for personal gain
HE LOOKED FOR THE HOLE
All of this information is in the various newspaper stories and affadavits and court documents - READ it before you post this lame attempts at justification
ALL HACKING AND CRACKING INTO SYSTEMS IS WRONG - IT COSTS COMPANIES MONEY AND ULITMATELY IT WILL COST YOU FREEDOMS - DONT DEFEND THESE GUYS
Re:They WERE public. (Score:2)
If you extended this argument to homes we would all live in a house surrounded by barbed wire, rottweilers and floodlights with machine guns for point defence.
BTW from the information provided he didnt make a new account he stole exisiting ones.
I still think all hacking is wrong as the white hat argument is trotted out only when they get caught doing something they should not be.
Now if you will excuse me one of the rottwielers is barking and i think another on of those avon ladies is caught up in the barbed wire.
Re:They WERE public. (Score:2)
So let me see - having worked for 10 years and done everything from help desk to field support to sys admin to gain my position i am a stooge ?
And the analogy between a house is obe that is CONSTANTLY used on this site to defend this sort of person - it might be wrong but thats life and it it after all my opinion.
My arguments are not froma corporate viwepoint - my arguments are from years of maintaining secure systems, patching, updating, rebuilding, years of stoneds, melissa's, prelissas, markers, code reds, nimdas and such like, years of repairing damage done when some uber 14 year old manages to find a hole in a web page on a system you didnt set up but has become your responsibiltiy and you have to clean the mess up, years of port scans and DOS attacks on servers and one case of a super cool dood who hacked into a system at a previos employer and then proceeded to destroy it (a company that made glass windows and doors no less - what sort of reason was behind that)
Now i have an instruction for you. i looked back at your past posts and you have posted some very anti corporate diatribes and at least one bad experience - thus YOUR opinions are colored as well.
I have 25 staff under me and they are all great guys, i try and pay them well and look after them and i have turnover of less that 1 person in 2 years - in return i defend them and expect loyalty and hard work thats all - i dont spout corporate ethics - i support systems and see the damage.
Your point may be a little vallid and was fairly well put BUT i have one question for you - What is your proffesion - i suspect programmer rather than admin support - that alone would color opipnions.
Please note im not flaming you here - i respect your opinion and can see how you came to it - im only pointing out why its not the case
Re:It all seemed so clear the first time through.. (Score:2, Insightful)
Does that mean if I don't lock the door to my house, I have "gifted" all of my possessions to my neighbors? If they take my stuff, it's still stealing.
I may have been stupid to leave my door unlocked, but that's another story.
Re:It all seemed so clear the first time through.. (Score:2)
Sysadmins who give passwords to friends have even shorter ones
There is an implicit trust and proffesionalism involved in being in control of system security - any admin worth 10cents would never give away passwords - if he did he would never ever get a job in IT again.
And any sysadmin who replaced another and didnt delete his predessors accounts and access and change service passwords deserves the same fate - its good housekeeping and its the first thing i do
Re:It all seemed so clear the first time through.. (Score:2)
To restate the obvious for those with IQ's lower than their shoe size - You have no right to have passwords and logons to any system you are not explicitly authorised to connect to. - thats simple fact. If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.
These passwords were behind a secure (or thought) secure system - It apparently took mr west several weeks to get into this system so its not like they were in plain sight.
Yes im sure that this would prove that and if you got my password list i would resign from my company - thats proffeisonalism (although as i run a secured netWrk with 2 firewalls and a DMz server between the internet and all of my secured domain servers (with pin security access for remote logon and mail access only at that point - it would be a fucking good hacker (you aint he) who could manage it - and we have paid to have it tested - i would probably hire anyone who could do it in fact !)
Anyone who would break into your house would not leave a note moron, they would rob you blind.
Do you even live in the real world ? why is it not ok to break into someones house but perfectly acceptable to break into their servers ? What are you on about ?
You sir are a moron
And a troll
Get a job in the real world as a sysadmin and see how much sympathy you have for this shit then.
Disagreement from the real world (Score:2)
If you have said passwords then the intent is there to use thm - i dont care what bullshit defence you use to me.
At my last job, one of the network admins was trying to convince the management that our network procedures were insecure. After several weeks of getting nowhere, he installed some publicly available hacking tools and pointed them at our domain. Without using any of his inside knowledge of the system -- using only the default configuration of the tools -- he got a name/password list of most of the managing partners, the CIO, and the senior network administrator. None of these were passwords he would have had access to with any of his approved access from work.
He brought this list into the next meeting to demonstrate how insecure our system was. The official response was that he must have used his inside knowledge, and that no one from outside the company was that interested in trying to hack our system. This was at a law firm, BTW.
Although in the West case it's pretty clear he was also trying to rip off their site administration scripts, your assertion that mere posession of a password list equals intent to commit a crime doesn't stand up.
Re:But he WAS authorised. (Score:2)
Anyone who has read the details of this story would see that Mr West did not suddenly find this exploit =- he spent weeks looking for it - this negates the argument about random discovery and the in plain sight crap - oh ant the article in the newspaper analogy is total bullshit and a lame attempt to obfuscate the situation - no matter what page of the newspaper it is on it is considered not only in plain sight but in the public domain and is the most irrelvant argument i have ever seen - this information was found by deliberately looking for it and trying until it was found - the guys is a criminal and your attempts to defend him are misguided and franly laughable
He sought the information - he copied it - he distributed it and he boasted about it - he attempted to besmirch the name of a competitor to get business in what i consider the most pathetic attempt at blackmail that i have ever seen - in short he is a loser
End of story
Re:It all seemed so clear the first time through.. (Score:2)
I think possessing the passwords is itself proof of intent to use them in most cases - otherwise why have you got them ?
Re:It all seemed so clear the first time through.. (Score:2)
Without this bit of hacking the councilors would've gotten away scot-free. Because of it two resigned and the rest were soundly defeated six months later in elections. The employee managed to conceal his identity and no sane person would try to convict the press member of a crime.
So... what you're saying is that if you want to be a white hat, you better be a politician or risk incarceration?
Re:It all seemed so clear the first time through.. (Score:2)
In the eyes of the law, cracking is cracking.
In this case it was a government computer. It would only take one instance of a reporter getting a hard life sentance for using computer information to expose criminal politicians. After that, there would be a serious damper on the idea of any sort of press investigation of crooked politicians.
Maybe the FBI...? (Score:2, Insightful)
I think this is an excellent opportunity to put things in perspective. The FBI, along with other government agencies, are much maligned on Slashdot. Now, I'm all for civil debate. Wanting to know the facts, and not believing everything you're told, are good things that should be encouraged here in the US. Those principles are espoused here except, it seems, when dealing with law enforcement and intelligence agencies. Remember this case next time you are quick to judge an investigation or trial.
Re:It all seemed so clear the first time through.. (Score:2)
Imagine that Brian said to a friend:
"I got this files from the Poteau Daily News and Sun Web site. It's realy bad coded. I'm going to rewrite the whole thing in PHP and see if they will buy it."
This would be enough to get him acused of "intending to derive a financial benefit from the unauthorized access".
Everybody seems to be assuming that "intending to market the revised software program" means that he would sell the new version on the open market. Actually, if he wanted to try and sell the new version only to the Poteau Daily News and Sun he would still be "intending to market the revised software program". A clarification of this is nowhere to be found.
Another suspicious thing is that he actually warned them about the security flaw, just the day after he found it out. Now, assuming he wasn't stupid, there are only two good reasons to do so:
- He actually had good intentions and wanted to warn them about the security flaw so as to avoid further instrusions.
- He wanted to blackmail them
If the second case is true, then why:- Did he explain them the nature of the security flaw ?
- There is no reference to him demanding money from the Poteau Daily News and Sun ?
I would say the waters are still muddedEach small step is easy to rationaize (Score:2)
Look at this guy, he's propable going to go to jail, do a ton of public-service and get put on probation all for stealing some scripts. I wouldn't be surprised if the scripts were freely avialable for download on an other site. Moral of the story is if you get stupid, you'll pay for it.
The worst part of it is: (Score:5, Informative)
... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"
The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.
Sorry cops.
Re:The worst part of it is: (Score:2)
Just to provide a little insight, I was a cop at one time and one of the most important lessons I learned, that still serves me well, is that there are in fact (at least) three sides to every story. One side for each of the parties involved and then the side of truth which is always in the middle.
No one has a monopoly on the truth.
You're still doing it... (Score:2)
As I read the indictment, there is a lot open to interpretation. There are a lot of claims that the guy "was going to" do bad things [tm] and a very, very slim list of questionable actions that were admittedly taken.
The scientific method enshrines skepticism as a primary virtue. Faith is the domain of religion. Neither Slashdot nor your local police department require or deserve religious devotion.
--Charlie
Re:The worst part of it is: (Score:2, Insightful)
I'm prolly gonna be smacked around for saying this, but come on people seriously..
I liked the part about php scripts ending w/.asp (Score:2)
Oh in case anyone isn't aware of it, Parole Boards usualy don't even look at what a potential Parolee was convicted of, they look at what he was charged with originaly. So Copping a plea effectively means admitting guilt to all of the charges, not just what you are convicted of. Don't like it, serve all of the sentence, its your choise.
not much pity here..... (Score:4, Insightful)
Not exactly a White Knight (Score:5, Informative)
This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.
Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others [slashdot.org] were obviously lied to. People wrote letters, donated to the EFF, etc.
It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.
Re:Not exactly a White Knight (Score:2)
I.e. if there was reason to believe that this guy had downloaded files or otherwise stolen IP, then I can agree with the search being performed, however if there was no reason to believe this, I think that the cops were being too aggressive to search & cease his property without reason to believe that he had stolen anything.
However if there was logging that he had downloaded stuff, then why the hell didn't he erase the logs? If you have that level of access to something, why wouldn't you erase all your tracks? Seems a little daft to me...
Re:Not exactly a White Knight (Score:3, Insightful)
Then at very least he's guilty of extreme stupidity. But that's not the case - his sworn testimony is that he planned to redistribute the code he downloaded and profit from it. That's what makes this a crime.
It just goes to show.. (Score:5, Insightful)
This isn't to say that we shouldn't support the EFF.
Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.
The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.
Re:It just goes to show.. (Score:2, Insightful)
On the other hand, he may have done something just like that. I'm just saying these are interesting times. I wouldn't take a confession of guilt to mean that the release put out is the truth, the whole truth and nothing but the truth.
Re:NEWS FLASH (Score:2)
If you DON't want your house broken into...then try not living on a PUBLIC street. The world for example last time I checked was available to the public.
You sir, are quite the idiot.
read the story folks (Score:5, Insightful)
I think you'd be arrested too.
Re:read the story folks (Score:3, Insightful)
Re:read the story folks (Score:3, Funny)
I'm guessing that when you break into someone's machine and copy software from it -- even if it's GPLed, you'd still be violating the "don't break into computers" law
Re:read the story folks (Score:2)
No, this is wrong. Only people who have been given the binaries have the right to the source code under the GPL. Putting your code under the GPL doesn't mean anyone can grab the code and binaries, it mean that whoever you distribute your code to has a righ to the binaries and has a right to redistribute. If you have a GPL'ed piece of code among a clique, you can't force the clique to give you the binaries or the code.
Perhaps reading the article would be recommended. (Score:2, Informative)
It seems that West exploited the security flaw to his own benefit before reporting it to the competitors. THAT was why he was charged, and THAT is why he plead guilty.
It also says that he hacked the Potea Daily News website, downloaded some files, then claimed that his intrusion was accidental... Oops, my cat stepped on my keyboard, and it happened to be the correct user name and password!
interesting... (Score:3, Flamebait)
Also from the release:
"Using MS Front Page, defendant discovered a common security flaw between MS Front Page and MS Internet Information Server (IIS), the server software being run by
PDNS."
So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user that was clever enough to discover yet another innovative, undocumented feature in the software..
Since the DoJ is obviously committed to making sure "that web sites are secure from unauthorized access and that intellectual property is protected," they'd better throw the FBI at any average citizen that is smart enough to research the (in)security of the software that they use, instead of targeting the company that is more concerned with taking your money than making sure it actually works.
Re:interesting... (Score:2)
So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user...
West's defense team made this very point in a press release [linuxfreak.org]:
From these facts it appears that Microsoft's software may have caused this unfortunate situation to occur. Mr. Sperling or the Federal Bureau of Investigation may be wise to investigate Microsoft as a possible co-defendant or party in this case.
However, West's lawyers failed pursue this line of defense. The obvious reason is that the security flaw wasn't in Microsoft's product but in the way it was deployed by the user. Microsoft provided adequate means of security here and instructions on how to implement it.
In any case, Microsoft had nothing to do with the acts to which West plead guilty.
Until recently Microsoft was the target of a vigorous Federal prosecution. Apparently, politics has impeded the prosecution, but the prosecutors can hardly be faulted.
How did the FBI know? (Score:3, Insightful)
At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.
So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
It seems, on its face, that:
a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or
b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or
c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.
Re:How did the FBI know? (Score:2, Insightful)
I don't think anyone would mind if the scripts were freely available, but PDNS spent money on them.
From what I understand, the FBI *didn't* know that he was re-writing them in PHP until AFTER they searched his laptop and workstations. Just the fact that he stole proprietary works was enough for them to initiate a search.
Besides that, the guy downloaded and apparantly changed the password list. That is NOT casual poking around to discover the extent of the vulnerability.
Granted, if I discovered a back door, I would probably poke around too, but I wouldn't download or modify any files... if you're not meant to have it, leave it alone; it wouldn't be ethical to do otherwise.
Re:How did the FBI know? (Score:4, Insightful)
Answers
A: He boasted about it to the Newspaper editor and several other people (read the info on his case on the web - its in newspaper accounts)
B: they didnt have to - the guys a fool - he left the evidence on his computers and bragged to the people he hacked - who notified the local police who called the FBI
C: Naah - this is what he did wrong - he committed a crime and got caught and charged - why bother keeping definding the little shit ?
The argument over intellectual property is so much crap - they were on a secured password protected section of a server he had no legal access to and also i will point out one belonging to a competitor of his - and he stole them thus commiting theft.
The FBI has jurisdiction on this and the other reason they were called in one suspects is that the brain dead i mean defendant boasted about hacking into a local banks systems (a lie it seems but he saids it on the record in an interview with the nespaper and it was thus reported) and if that bank had Federal Investment Deposit Insurance (FIDC) then any crime committed against it becomes a federal crime and the FBI investigates.
Now are we done defending this guy ? hes a hacker - full stop.
Re:How did the FBI know? (Score:2)
And the same laws that cover industrial espionage would cover this as according to the information on hand he was a competitor to the company who he hacked thus this a direct attack on their ability to trade
This is Theft - not to mention the passwords and logons he stole which is also theft
Re:How did the FBI know? (Score:2)
Not legally
What did the victim lose - ok try prestige, good will (these BTW are measured and worth money to a business)
Its still illegal
Its still theft - the minute he copied the data it was theft. (And industrial espoinage is a criminal offence under US laws and considred theft)
Nahh our opinions on theft are different beacuse i have to spend money and time keeping pieces of work like this out of my systems
Re:How did the FBI know? (Score:2)
What did the victim lose - ok try prestige, good will (these BTW are measured and worth money to a business)
WTF prestige or good will did the victim lose? I don't even know who the hell the victim was. Besides, are you saying he "stole" good will? I think that's a ridiculous argument.
Its still illegal
So is going 56 in a 55 mph zone. So is buying something over the internet without paying a tax to your state (in most states). What's your point? My point is that he did nothing which should be illegal, because he did not harm anyone. Even if he did harm someone's prestige, or good will, like you say, he did that only by stating true facts about them. Stating true facts about someone and harming their prestige is not illegal, nor should it be.
Its still theft - the minute he copied the data it was theft.
So I just copied your writeup, was that theft? Was it theft when I copied, or when I pasted?
Nahh our opinions on theft are different beacuse i have to spend money and time keeping pieces of work like this out of my systems
As do I. I'm just not selfish about it. Do lawyers copyright their court arguments? They spend money and time creating those arguments, and they are "stolen" (your words) all the time in other cases referencing them. I don't see lawyers going out of business. Why? Because they are paid for their ability to make new arguments, to adapt to new situations, not to copy and paste things which they've already created. The software industry should be no different. I have no need to be paid over and over again for a program I write. Once is enough, thank you. The time I'd save being able to "steal" (your words) other people's code would more than make up for the money I'd lose because some idiot knows how to copy and paste.
Besides all of that, whether or not this is theft is not an opinion. It is a fact. And my belief as to whether or not what this guy did should be illegal has nothing to do with the fact that is not theft. Those who try to imply that it should be illegal, such as yourself, sometimes claim that it is theft to make it sound a lot worse than it is. Copying is not theft. It's not murder, it's not rape, it's not treason, it's not terrorism. It might be copyright infringement. It might be industrial espionage (in this case it wasn't though).
But hey, if it really is theft, I guess we can get rid of copyright law, since it's redundant. Theft is already illegal, so why bother making it illegal again. (I'll give you a hint, because no jury would convict someone of theft just because they made a copy of something).
Re:How did the FBI know? (Score:2)
Dont get childish and compare copying my text to what this genius did - he did not copy anything he stole and modified it, gave passwords away to friends and boasted about it - hell hes the sort of person who probably posts troll posts on slashdot - he committed a crime - he confessed and pled guilty.
You can reference a document but you cannot copy it verbatim - and i used to be IT for a law firm - the way a lawyer does it is to refernce the pleading or case in his statement - thus he is quoting and it is legal.
He didnt 'adapt' anything - he was trying to make money by doing this - thats a for gain action and there goes the white hat argument out the door.
I love how every time this sort of story is posted here they fall back on copyright - yeah sure no jury will do it - thats why companies never ever sue anyone for copyright violation and patent violation.
Did you read this story or only the slashdot stuff ? look at the facts - this guy copied nothing for just copying - he worked for weeks to break into the system and then stole information with the intention of profiting off it.
Re:How did the FBI know? (Score:2)
You, are very wrong.
"Waa, waa, I can't be wrong, I'm 1337! Information wants to be free! He didn't take anything! It isn't theft! Waa!"
You are very wrong because he did in fact intend to permantly DEPRIVE the owner of something, and did so, in fact.
"Waa, waa, No, he didn't, I'm going to keep whining about how information waaaaaaa wants to be free! *sniffle*"
He's a theif. He stole their "sole possession" of proprietary code. Before he took it, they (and possibly others that they granted use of) were the only persons rightfully in possession of said code.
When he STOLE that sole possession, he devalued it's value to them as a sole possession (no matter how substantially so).
If he had sold it to other people, he would have been STEALING their ability to offer an exclusive service. If he had been USING it for his own gain, he would have been STEALING THEIR HARD WORK for his personal gain, essentially turning the situation into a case where they were unknowingly working for him, without pay.
It's theft. Any arguement to the contrary is bullshit.
Re:How did the FBI know? (Score:2)
You, are very wrong.
No, you are.
"Waa, waa, I can't be wrong, I'm 1337! Information wants to be free! He didn't take anything! It isn't theft! Waa!"
Well, that was enlightening. If you would like a response as to why you are wrong, feel free to post again without being a dickhead.
It's theft. Any arguement to the contrary is bullshit.
As Paul Harvey says, Now for the rest of the story (Score:2, Insightful)
But
In the IT world mistakes like this are often glossed over and not taken seriously. One would expect to be fired over something like this, but alas, they are not.
The best example of this is the Code Red and NIMDA fiasco. I can't tell you how many admins should have been terminated for not properly patching their systems. It is amazing.
He is a terrorist (Score:4, Funny)
I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".
I recommend mandatory life sentence.
Spreading of alarming news? (Score:2)
Gray area in confidential info.... (Score:4, Insightful)
But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.
What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.
That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...
Hey people he got what he DESERVED (Score:2, Insightful)
If this guy had gone to the front door of his competing ISP, noticed it was unlocked and then walked in, HE WOULD BE GUILTY OF BREAKING AND ENTERING.
The whole underground movement of "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering" isn't going to cut it anymore in this post terrorism world. He committed a crime plain and simple, doesn't matter if the key was copper or RSA. You are not a good neighbor if you are constantly looking for ways to break into my house. Especially if I don't even know you!!
It's true, people do need to check their firewalls and whatever other security means they have for exploits, but it does not give anyone a license to go willy nilly on the net looking for exploitable systems. If someone has a system infected by nimda and you see their IP coming across your firewall, yes call them. That's OK cause you are not breaking or entering.
--toq
~~~Moderators, note I posted this with my real account. Unlike the karma whoring anonymous cowards I stand behind my opinions.
[OT] Capitalization Madness! (Score:2)
Now, I even see people write "JAVA", and that's not even an acronym! Though I suppose one might infer that it's Just Another ....
Would those in attendance mind helping me by gently informing the users of this barbarism that "You sound like a freaking ignoramus!"? While I've got you, could you do the same for (stop here if you have a weak stomache and an appreciation for language) virii [perl.com].
Re:[OT] Capitalization Madness! (Score:2)
Could reality be... (Score:3, Interesting)
FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.
Mr. West: Um..Um...Um....OK, where do I sign?
Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.
Pow? (Score:3, Funny)
Oh well.
An alternative view. (Score:2)
The other part - the attempted profiteering - is another matter altogether. I don't see how it's connected to the cracking at all. It's basic Black Market racketeering of information, and that should be prosecuted as such.
But the cracking? If the original company were competent, they wouldn't have security even an insider could crack. (Dual-key systems, and distributed privilages, are common ways to limit the damage even an administrator can do.)
Probing and scanning a machine (which includes testing passwords) is not a crime in many States. Only actual damage caused. And, to be honest, that arrangement sounds eminently sensible.
What we are beginning to see here is the blaming of the use of the computer, when the computer had nothing to do with it. This is the kind of fuel the Furher needs to pass the anti-terrorist measures.
(Isn't it coincidental that the cracking gets big publicity at the time the bill runs into trouble...)
egads! (Score:3, Funny)
Bartholomew: Why no Phillip, I have chosen to rewrite it with VIsual editor, and I have used the wonderful Active Server Pages environment on my International Business Machines computer system. Perhaps later I will re-write it in PHP Hypertext Preprocessor.
Phillip: At least it's not FORmula TRANslation or COmmon Business Orientated Language!
Both: Ha ha ha ha ha !
Pretty advanced language for a court document (Score:3, Interesting)
Perl spelled out? (Score:2)
I got it too (Score:2)
Now...why do legal people send stuff in microsoft-mangled RTF? They made that 'open' standard to share documents, and then they use it in a nonstandard way. dammit.
Of course, the first time I decide to speak out... (Score:3, Interesting)
I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.
Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.
Interseting to note (Score:2, Informative)
The sysadmins and pros and suchlike who work in IT agree this guy committed a crime or provide rational arguments as to why he didnt - they can rationally understand it and even maybe support the FBI - they understand what they did, have read the articles and post insightfull comments and thoughtfull questions and maybe even have a laugh.
The other group include those who thing all hackers are cool and that the goverment has no right to keep them out, they throw up any argument no matter how tenuous to defend the actions of Mr West and then even resort to saying he was forced to confess under duress ! then theres the conspiracy theorists and the lame he didnt steal anything of value (which is wrong guys as they law treats theft of data like theft of anything else)
How much time will the actions of someone who is now a confessed criminal who wasnt sophisticated enough to cover his tracks going to get you all in a lather ? Hasnt he had his 15 seconds of fame yet?
Hypothetical situation: possession/intent? (Score:2, Informative)
Here's a hypothetical situation: What if some malicious company made a webpage that when I connected to it, it downloaded the password file to a cookie on my hard drive. I don't know it's there. Then they come after me, claiming that I hacked into their system. True, I could say that I didn't know how it got there, and if I could get a person to show that their code downloaded the file (which would probably require a subpoena to look at their HTML code), that could make a good defense that I had no intent.
But what if I can't get that kind of help? What if I get a bone-head judge? Could someone be sent to jail for doing nothing more than browsing a web-page? It does seem that this guy was an damn-big idiot at least, and a malicious cracker at most, but it seems like cops are getting overzealous in prosecuting tech "crimes" without understanding what's really going on.
Re:Hypothetical situation: possession/intent? (Score:2)
Could someone be sent to jail for doing nothing more than browsing a web-page?
Highly unlikely. The district attorney pointed out a defense in a press release [politechbot.com] in response to public concern about the case:
A suspect's intent, the amount of loss occasioned by the behavior, and the context of the alleged offense are among many factors that are within the scope of the investigation and weighed in such prosecutorial decisions. Only after all these standards and issues have been considered would the United States Attorney's Office for the Eastern District of Oklahoma prosecute an individual for a criminal offense.
Federal DAs are reluctant to prosecute unless there is a high probability of conviction and a low probability of reversal on appeal.
it seems like cops are getting overzealous in prosecuting tech "crimes"
Mostly one sees complaints about the light sentences hacker receive when the putative [m-w.com] damages are in the $billions. These sentences can hardly be an incentive for police to pursue what you call "tech crimes".
Log files of virtually any Web servers will indicate thousands of attempts at hacking. In terms of sheer quantity it must be the most common crime by far. I'd like to see a little more zealousness in pursuing these jerks.
Who wrote a letter? (Score:4, Insightful)
Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?
I should see more hands that!
For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.
I didn't think so.....
Is Critical Thinking Just Not Popular Anymore? (Score:3, Insightful)
Yeesh!
There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.
Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.
So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?
Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?
You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.
Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.
Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.
Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?
Re:Is Critical Thinking Just Not Popular Anymore? (Score:2)
Your analysis makes a lot of assumptions, the primary one being that what this guy did was harmless and unassuming.
There were quite a number of us at the time who read the original description, and when we got to the part where after he noticed the initial flaw he kept probing downloading files and passwords, etc., thought "Why?"
This guy went too far. It's quite possible he didn't mean any harm, and that's why the prosecutors are being lenient on him.
But he was clearly a clueless numbskull who deserves to get his hand slapped.
You need to lose your preconceived notions of the sexiness of computer crimes, or that law enforcement officers don't understand the issues. That might have been true in the 80's and even ten years ago, but times have changed.
This is an isolated incident... (Score:2)
Hah. (Score:2)
Re:This whole thing makes me so mad. (Score:5, Informative)
Not only that, but he afterward went around an told everyone a different story than what he had actually done. I say this guy is an immature loser that deserves what he gets.
The responsible thing to do would be to anonymously mail the admin and tell him/her that such and such exploit is open and that he/she should fix it.
Re:This whole thing makes me so mad. (Score:2)
What IS the weather like on your planet
Re:This whole thing makes me so mad. (Score:3, Insightful)
He didnt just 'hack it' he stole data - thats a computer crime and he pled guilty - end of case.
I was one of those people who said this the last time and got flamed and moderated down for suggesting the guy might not be all he seemed.
Some slashdot readers need to read the information and think about things
Re:This whole thing makes me so mad. (Score:2)
except for the following:
Subsequent investigation revealed that WEST had downloaded the computer files, was in the process of rewriting the files, and intended to market the revised software program.
I was pretty pissed off too about this when the story first surfaced. Little additional details like this one kind of put a different light on it, though.
Re:And another thing... (Score:3, Insightful)
lets use your window analogy:
The defendant, using a security vulnerability known as a Window, was able to break inside INSERTCOMPANYNAMEHERE and read and copy confidential documents sitting on a desk. He then gave a copy of the papers to a friend to show him how utterly 1331 he was and then told the company about the problem with breaking through a Window. However, for noticing the stupidity of BRIAN WEST, the prosecution is serving legal papers up within a court hearing for misdemeanor charges of breaking inside a building through a window without authorization.
Re:And another thing... (Score:2, Interesting)
Re:And another thing... (Score:2, Insightful)
While looking inside a Window, he realized it wasn't locked, opened the window, found some confidential documents laying around, made photocopies of them to keep, showed other people, made a few "adjustments" to the original copies, and then informed the company that they left their window unlocked.
Scott
Re:Think about it (Score:3, Informative)
Re:Think about it (Score:2)
Re:Think about it (Score:2)
If you have actually bothered to read the press release, it clearly states that West actually penetrated a (supposedly) secure service. He found a security hole, and then used it to breach the security on the server. Whether or not he had malicious intentions is irrelevant - I know it's often used, but the following euphemism still holds true: If someone breaks into your house, just to look around, without doing any actual harm, they are still breaking the law. Just because they climbed in through a window that they discovered you hadn't locked doesn't make them any less guilty.
The fact that he didn't seem to have any malicious intent is reflected in the fact that he was charged with (and pleaded guilty to) a misdemeanor. Had he had malicious intent, or done any malicious damage, I'm sure that he would have been charged with an actual crime (there is, to the best of my knowledge, even though IAMAL, a legal difference between a misdemeanor and a crime).
Re:Think about it (Score:2, Informative)
Clearly his intent was to.. steal software and sell it as his own...Look at :
"Subsequent investigation revealed that WEST had downloaded the computer files, was in the process of rewriting the files, and intended to market the revised software program." -(From the linked article)
That isn't malicious?
Re:Think about it (Score:2)
I'll give you a break and mention that the acronym is IANAL (I Am Not A Lawyer). If you _are_ a lawyer, well...
The proper distinction is misdemeanor versus felony - both are "crime" in the sense that people who commit them can be prosecuted, found guilty, etc. However, misdemeanor (literally, mistaken behavior) is much less serious than felony (a heinous act): a misdemeanor usually won't disqualify you from getting a job, depending of course on the nature of the conviction and the job, whereas a felony often makes subsequent employment more problematic, especially in a capacity more responsible than low paid hourly work. And felons are prohibited from owning guns and voting (though in many states they can apply to have their voting rights reinstated after serving their time). Overall though, you _don't_ want to have a felony record.
Many offenses - especially white-collar ones such as this case - can be resolved either as misdemeanors or felonies. Typically, if the situation is marginal, or intent was lacking, and no harm was actually done, etc., the prosecution can be persuaded to offer a plea to a misdemeanor "in the interests of justice" (i.e., this clears the case quickly without requiring an expensive jury trial). That's what happened here - the proverbial slap on the wrist.
This guy committed theft and hoped to profit by it. He's lucky to be getting off with a misdemeanor. If he'd simply reported the hole, he'd be in the clear.
Re:Think about it (Score:3, Interesting)
Re:Think about it (Score:2)
Not unless you then say "You should use some kind of UNIX instead...", and the person is a terrorist. Then you're "advising or aiding".
Re:Think about it (Score:3, Interesting)
Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?
The existance of a security hole does not make it ok to steal. That's the bottom line. Pick another cause to fight for.
Re:Think about it (Score:2)
I'm going to generalize a little bit here and take this out of the context of this one hacker.
Now if someone found that security hole, would it be ok for them to take the key and make a copy? Would it be ok for them to repeatedly break into my house to take my personal posessions? Would it be ok to distribute the key to others? For a profit? Would it be ok as long as they told me about it later and told me how they could make my house more secure?
I agree: what you have wrote is criminal activity. No worse than B&E, theft (possibly grand theft) and whatever the crime is called for profiting off of criminal activity. There is no need for a special "Urban KeyUnderRock Act" -- we have laws to handle this already. But what about this scenario:
Instead of a home, how about a medical office. Some place of business keeping private information on people. Now if someone found that security hole (key under rock), would it be ok for me to -- after contacting you and giving you ample time (weeks) to correct the problem -- write a detailled pamphlet (sp?), write the newspaper, call in journalists, etc., describing the security hole and how widespread this type of security violation was and how it affects all of the people who go to this medical building? Would you have any right to call the cops on me? To try and have me arrested, sued, fined, incarcerated? Because you either don't want to spend the money to do it right?
My opinion is no. I warned you, showed you how to fix it and scolded you for being so patently stupid and disrespectful of private information and you either threatened me or blew me off. My going public with the information is, in my opinion a public service -- the same type of thing as the whistlebowers and people who risk their lives and personal finances to bring a big bad company to justice.
Let's face it; Most companies think this kind of stuff is only doable by UberHaxors -- therefore it's not worth fixing just because some guy comes up and shows them how it's done. The policies are changing, and that is a good thing. However with Mr. Ashcroft's assinine laws he is leading the way to making true security a thing of the past.
Re:'Secure' information (Score:2, Insightful)
Re:New laws saying this is "life behind bars" offe (Score:3, Informative)
Only 1030(a)(1), (4), (5)(A), and (7) are the computer crimes considered terrorism offenses under the draft of ATA [eff.org] (See Sec. 309)
By hacking the computer he gives up the right to any privacy regarding his actions on and communications with the attacked computer (Sec. 106), but then I wouldn't really expect someone to have privacy regarding what they do with a computer they shouldn't be on in the first place.
Re:New laws saying this is "life behind bars" offe (Score:2, Informative)
It applies to "protected computers"
From 18 USC 1030(e):
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
That's basically any computer on the internet.
Re:New laws saying this is "life behind bars" offe (Score:5, Informative)
From Title 18, Sec. 1030 of the US Code:
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
SEC. 106 INTERCEPTION OF COMPUTER TRESPASSER COMMUNICATIONS.
(1) in section 2510-
(A) in subsection (17), by striking "and" at the end;
(B) in subsection (18), by replacing the period with a semi-colon; and
(C) by adding after subsection (18), two new subsections as follows:
"(19) `protected computer' has the meaning set forth in section 1030; and
"(20) `computer trespasser' means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer."; and
(2) in section 2511(2), by adding after paragraph (h) a new paragraph as follows:
"(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser, if-
"(A) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;
"(B) the person acting under color of law is lawfully engaged in an investigation;
"(C) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and
"(D) such interception does not acquire communications other than those transmitted to or from the computer trespasser.".
Re:Perhaps this is yet more proof (Score:2, Insightful)
STRIKE that. (Score:2)
Re:Interstate Commerce? (Score:2)
Yeah, I know it's stupid, but I didn't write it. I'm just explaining it.
Re:Only one side of the story (Score:3, Interesting)
In other words the evidence alone would hang him - the fact that he tends to come across as an arrogant person in his writings and letters, and dont forget he only tried the white hat when caught.
people like this guy think the law doesnt apply to them, they think that computer crime is something no one else will understand and that makes it hard to prove etc, it isnt - trust me i have worked with Australian Federal Police investigators at a previous role (involving an attempted hacking incident at a financial instituion) these guys were very very smart and skilled and 2 of them were ex hackers (1 who had served jail time) they know what they are doing.
This guy has to have committed the most amaterish, pathetic and misguided hack in history and then thought he could use the open source movement to cover himself and the EFF to protect him - he was wrong and this should teach us a lesson.
All is not what it seems in these cases - IMHO there is no such thing as white hat or black hat ONLY hackers - any justification you can try and find wont change the fact that these guys support an ethos surrounded in getting access to things they havent been given.
Hacking is wrong. FULL STOP
Re: (Score:3, Informative)
Re:PHP = .asp and .inc? (Score:2)
I think what you're trying to say is that you're using the wrong tool for the job. If your editor can't handle highlighting of PHP, then perhaps you should consider alternatives...
Re:PHP = .asp and .inc? (Score:2)
perhaps you should consider alternatives...
May I suggest Vedit [vedit.com]? It includes syntax highlighting for many languages but it also allows the user to create custom configuration files for syntax highlighting in any language. These configuration files also permit pattern matching.
Version 6, a major upgrade, is being released in October. I've used Vedit for 20 years, back when it was the only editor available for CP/M.
In those days, of course, there was no such thing as syntax highlighting...but I digress.
Re: (Score:2)
Re:PHP = .asp and .inc? (Score:2)
You can access a WebDAV server just like a network share. I believe in XP, you can even map it to a drive letter, but don't quote me on that.
Re:It's all in a name (Score:2, Informative)