Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Courts Government News

Brian West Update 313

Concerned Onlooker writes: "Remember the story about how Brian West reported a security leak to a client of a competing hosting service and then was promptly arrested by the FBI? Well, as usual there's more to the story, as shown in this release that I got today from Sheldon Sperling of the U.S. Dept. of Justice. Sorry about the Word-generated HTML. It's just nice to follow up on what outraged many of us at the time...." West has pled guilty to a misdemeanor offense.
This discussion has been archived. No new comments can be posted.

Brian West Update

Comments Filter:
  • financial gain (Score:2, Offtopic)

    by Anonymous Coward
    It seems that his plight was not as was reported. It says he was trying to profit from the stuff he downloaded. Maybe he wasn't so innocent after all.
  • by dmarcov ( 461598 ) on Wednesday September 26, 2001 @08:22PM (#2355831) Homepage
    I remember reading that story and thinking about here was a good guy -- one of us, doing a fairly nice thing and reporting a security hole (that obviously someone other than him should have been the first to notice). I remember being more than a bit outraged that law enforcement couldn't tell the difference between between breaking into a system malciously, and just noticing something amiss.

    Now, I can't say that I blame him for poking around a bit. If it was me, I'd probably have done the same -- never know when a username/password list is going to come in handy I suppose. I think it is the for "profit" motive - that he would steal someone elses work and try to sell it as his own is the real sin here. I guess I also can't imagine the Perl scripts of some fairly small town newspaper (we're not talking the NY Times here - although I do feel the need to say, "Free Registration Required") being that cool that they deserved to be stolen.
    I'm glad the rest of the details came out on this one.
    • by q-soe ( 466472 ) on Wednesday September 26, 2001 @08:45PM (#2355923) Homepage
      As a corporate IT manager i would like to ask you one question ?

      Under what circumstances does a username/password list to systems you have not been implicitly given access to come in handy ?

      The only reason to have passwords to a system that you do not have rights to is to connect to it without permission - i look at this as a simple thing - it is unauthorised access and theefore illegal.

      When will some people get this through their heads - if you have someone elses account and password obtained from any source which does not have authoirity (eg the Sysadmin or network admin) then you are commiting a crime - you should not have it.

      It doesnt matter what you do with them or where you got them, possesion is Intent - Intent is used to prosecute.

      think about this scenario - the police for some reason suspect you of hacking - they come to your house and find on your computer some information or artivles on hacking, maybe a hacking program and they find a list of passwords and logins to systems and websites.

      Guess what - thats intent and you are getting charged with hacking, if they happen to be bank system passwords you are probaly going to be charged with fraud. They might not prove the charges but they have sufficient prima fascie evidence of crime of intent to commit to charge you with these things.

      I cannot see ANY justification to have lists of passwords and user names to anybody elses system unless they gave them to you - the White Hat or Just Looking Around or Education arguments are so much crap its not funny and its the argument all the hackers attempt when they are caught.
      • But the passwords *were* gifted to the individual. They were so poorly-protected as to be considered public.
        • this argument is no defence - they were not gifted to the individual he found a way in and stole them - thats the crime - the security of the system is not relevant and in this case the guy spent weeks looking for a way in - hardly easy then is it ?
        • "But the passwords *were* gifted to the individual."

          Does that mean if I don't lock the door to my house, I have "gifted" all of my possessions to my neighbors? If they take my stuff, it's still stealing.

          I may have been stupid to leave my door unlocked, but that's another story.
    • Hmmm...maybe the FBI really ARE the good guys!

      I think this is an excellent opportunity to put things in perspective. The FBI, along with other government agencies, are much maligned on Slashdot. Now, I'm all for civil debate. Wanting to know the facts, and not believing everything you're told, are good things that should be encouraged here in the US. Those principles are espoused here except, it seems, when dealing with law enforcement and intelligence agencies. Remember this case next time you are quick to judge an investigation or trial.
    • The whole thing still smells fishy.

      Imagine that Brian said to a friend:

      "I got this files from the Poteau Daily News and Sun Web site. It's realy bad coded. I'm going to rewrite the whole thing in PHP and see if they will buy it."

      This would be enough to get him acused of "intending to derive a financial benefit from the unauthorized access".

      Everybody seems to be assuming that "intending to market the revised software program" means that he would sell the new version on the open market. Actually, if he wanted to try and sell the new version only to the Poteau Daily News and Sun he would still be "intending to market the revised software program". A clarification of this is nowhere to be found.

      Another suspicious thing is that he actually warned them about the security flaw, just the day after he found it out. Now, assuming he wasn't stupid, there are only two good reasons to do so:

      1. He actually had good intentions and wanted to warn them about the security flaw so as to avoid further instrusions.
      2. He wanted to blackmail them
      If the second case is true, then why:
      • Did he explain them the nature of the security flaw ?
      • There is no reference to him demanding money from the Poteau Daily News and Sun ?
      I would say the waters are still mudded ...
    • Prisions are full of people who only took one small step. Each one didn't seem so bad, but they all add up. Step A is a little naughty, step B a little more. People generaly don't go from not even a traffic ticket to Bank robbery and Murder is one giant leap.
      Look at this guy, he's propable going to go to jail, do a ton of public-service and get put on probation all for stealing some scripts. I wouldn't be surprised if the scripts were freely avialable for download on an other site. Moral of the story is if you get stupid, you'll pay for it.
  • by Dr. Smeegee ( 41653 ) on Wednesday September 26, 2001 @08:23PM (#2355835) Homepage Journal

    ... I am the kind of pollyanna cretin who beleived the guy when he put forth the story that he was being punished for doing his competitor a favor. "Why you bad men always pick on nice hacker fellers? You mean men!"

    The theft and the defacement are so banal. The really bad part is how angry I got at the "injustice" done him by the unthinking cops.

    Sorry cops.



    • Just to provide a little insight, I was a cop at one time and one of the most important lessons I learned, that still serves me well, is that there are in fact (at least) three sides to every story. One side for each of the parties involved and then the side of truth which is always in the middle.

      No one has a monopoly on the truth.

    • So you hate yourself because you believed the perp's story, and now you are (equally uncritically) believing the cop's story?
      As I read the indictment, there is a lot open to interpretation. There are a lot of claims that the guy "was going to" do bad things [tm] and a very, very slim list of questionable actions that were admittedly taken.
      The scientific method enshrines skepticism as a primary virtue. Faith is the domain of religion. Neither Slashdot nor your local police department require or deserve religious devotion.
      --Charlie
  • by dragonxhero ( 524736 ) on Wednesday September 26, 2001 @08:26PM (#2355843)
    some posts act like this guy is innocent.... IMHO, he shouldn't be punished for the penetration or browsing, cause he reported it to the company.... but, he apparently deliberately lied to the company about some stuff, and attempted to steal some of their intellectual property for his own personal gain.... sorry, this guy seems a bit shady, and it seems to me he got what he earned for himself....
  • by legLess ( 127550 ) on Wednesday September 26, 2001 @08:27PM (#2355844) Journal
    From the article, near the bottom:

    "This case generated a very substantial amount of e-mailed correspondence to our office and across the world," [United States Attorney Sheldon J.] Sperling said. "The wide range of opinion was instructive. In this case, the defendant rewrote the files he downloaded, planned to distribute his rewrite, added another page to the website, modified the password file, and misled sympathizers and others as to both the character and scope of what he had done."


    This is exactly the kind of cracking that needs to be prosecuted. This jerk wanted to have his cake and eat it too: look like a hero for publicizing the security hole, then profit from stealing another's work. It doesn't even sound like he was very smart about it.

    Some people posted in the original article saying basically the same thing, but were ignored or flamed. Others [slashdot.org] were obviously lied to. People wrote letters, donated to the EFF, etc.

    It's nice to see such noble acts, but please folks, take cases like this with a grain of salt until the truth comes out, eh? We geeks already have enough of a reputation for being reactionary.
    • here's the dumb question. Apparently the webhost got spooked when they looked at the logs to see that there was a file downloaded, or did the sysadmin just freak and call the cops anyways?

      I.e. if there was reason to believe that this guy had downloaded files or otherwise stolen IP, then I can agree with the search being performed, however if there was no reason to believe this, I think that the cops were being too aggressive to search & cease his property without reason to believe that he had stolen anything.

      However if there was logging that he had downloaded stuff, then why the hell didn't he erase the logs? If you have that level of access to something, why wouldn't you erase all your tracks? Seems a little daft to me...
  • by DavidBrown ( 177261 ) on Wednesday September 26, 2001 @08:27PM (#2355849) Journal
    ..that we shouldn't automatically believe the story of every hacker/cracker/defendant who claims that he's being prosecuted for being a "good citizen". Every single prosecution of someone for some sort of "computer crime" isn't cause for us to plead for more donations to the EFF.

    This isn't to say that we shouldn't support the EFF.

    Most every criminal defendent comes up with some story as to why his acts weren't really illegal, or if illegal, should have been legal. We, as a community, listened to Brian West's story or made up one of our own and decided that this was yet another travesty of justice.

    The bottom line in this case is that West was a crook (or at least admitted to being one). Our lesson to learn is that we shouldn't jump to conclusions.

    • Admitted to being one I think is a huge key. Right now is not a great time to be an evil hacker in front of a jury. He might have just decided it was best to plea and get what he possibly could. I just can't imagine this newspapers perl scripts or whatever he had as having resale value. Is anybody in that market? It just seems insane to me. Seems like he would have had an easier time hacking apart slashcode to get what he wanted.
      On the other hand, he may have done something just like that. I'm just saying these are interesting times. I wouldn't take a confession of guilt to mean that the release put out is the truth, the whole truth and nothing but the truth.
  • by evilpimpstar ( 464546 ) on Wednesday September 26, 2001 @08:29PM (#2355862) Homepage
    This guy stole. It's sorta like if you saw a Wells Fargo truck with the back door open, took a couple of money bags, then told the driver, "Hey, you're back door is open."

    I think you'd be arrested too.
    • Nothing is missing. It's more like if you saw a pinball machine which had unlimited free games, played for an hour, and then reported it to the owner.
  • It seems like those posting comments so far haven't read the article [kellybreed.com].

    It seems that West exploited the security flaw to his own benefit before reporting it to the competitors. THAT was why he was charged, and THAT is why he plead guilty.

    It also says that he hacked the Potea Daily News website, downloaded some files, then claimed that his intrusion was accidental... Oops, my cat stepped on my keyboard, and it happened to be the correct user name and password!
  • interesting... (Score:3, Flamebait)

    by espilce ( 105654 ) on Wednesday September 26, 2001 @08:36PM (#2355884)
    `"it is important that web sites are secure from unauthorized access and that intellectual property is protected. Cyberspace will be a better place for all if such privacy and property rights are respected," stated Assistant United States Attorney Jeff Gallant.'

    Also from the release:

    "Using MS Front Page, defendant discovered a common security flaw between MS Front Page and MS Internet Information Server (IIS), the server software being run by
    PDNS."

    So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user that was clever enough to discover yet another innovative, undocumented feature in the software..

    Since the DoJ is obviously committed to making sure "that web sites are secure from unauthorized access and that intellectual property is protected," they'd better throw the FBI at any average citizen that is smart enough to research the (in)security of the software that they use, instead of targeting the company that is more concerned with taking your money than making sure it actually works.
    • So tell me why Microsoft is not facing misdemeanor (or felony) charges instead of the user...

      West's defense team made this very point in a press release [linuxfreak.org]:
      From these facts it appears that Microsoft's software may have caused this unfortunate situation to occur. Mr. Sperling or the Federal Bureau of Investigation may be wise to investigate Microsoft as a possible co-defendant or party in this case.

      However, West's lawyers failed pursue this line of defense. The obvious reason is that the security flaw wasn't in Microsoft's product but in the way it was deployed by the user. Microsoft provided adequate means of security here and instructions on how to implement it.

      In any case, Microsoft had nothing to do with the acts to which West plead guilty.

      ...instead of targeting the company that is more concerned with taking your money than making sure it actually works.

      Until recently Microsoft was the target of a vigorous Federal prosecution. Apparently, politics has impeded the prosecution, but the prosecutors can hardly be faulted.

  • by pbryan ( 83482 ) <email@pbryan.net> on Wednesday September 26, 2001 @08:38PM (#2355893) Homepage
    I'm perplexed how the FBI possibly ascertained exactly that West was rewriting the Perl scripts in PHP to resell as a product, as they indicate as the impetus of their response of search warrant and arrest.

    At first blush, it seemed like he just poked around the site a bit -- something I might do if I accidentally came across this problem, if to do nothing more than to understand the scope of the vulnerability.

    So he downloaded some files here and there. Even, *gasp*, Perl scripts. Does this constitute the theft of intellectual property? Does this warrant the execution of a search warrant by the FBI?
    It seems, on its face, that:

    a) PDNS had more information about this individual's competitive position and included this in its complaint to the FBI, or

    b) the FBI did lots of detective work (including possibly monitoring email and/or phone communication) and concluded that he wasn't so helpful, or

    c) this is simply what the FBI found after the fact as a justification for their overreaction to PDNS's complaint.
    • I think the key to this is that the Perl scripts were *proprietary*, meaning that they were developed solely by and/or for PDNS. That IS intellectual property.

      I don't think anyone would mind if the scripts were freely available, but PDNS spent money on them.

      From what I understand, the FBI *didn't* know that he was re-writing them in PHP until AFTER they searched his laptop and workstations. Just the fact that he stole proprietary works was enough for them to initiate a search.

      Besides that, the guy downloaded and apparantly changed the password list. That is NOT casual poking around to discover the extent of the vulnerability.

      Granted, if I discovered a back door, I would probably poke around too, but I wouldn't download or modify any files... if you're not meant to have it, leave it alone; it wouldn't be ethical to do otherwise.

    • by q-soe ( 466472 ) on Wednesday September 26, 2001 @08:56PM (#2355959) Homepage

      Answers

      A: He boasted about it to the Newspaper editor and several other people (read the info on his case on the web - its in newspaper accounts)
      B: they didnt have to - the guys a fool - he left the evidence on his computers and bragged to the people he hacked - who notified the local police who called the FBI
      C: Naah - this is what he did wrong - he committed a crime and got caught and charged - why bother keeping definding the little shit ?

      The argument over intellectual property is so much crap - they were on a secured password protected section of a server he had no legal access to and also i will point out one belonging to a competitor of his - and he stole them thus commiting theft.

      The FBI has jurisdiction on this and the other reason they were called in one suspects is that the brain dead i mean defendant boasted about hacking into a local banks systems (a lie it seems but he saids it on the record in an interview with the nespaper and it was thus reported) and if that bank had Federal Investment Deposit Insurance (FIDC) then any crime committed against it becomes a federal crime and the FBI investigates.

      Now are we done defending this guy ? hes a hacker - full stop.

  • It's great that the truth according to the prosecuter came out. Anyone with any sense can understand that we he did wasn't noble nor helpful. It was wrong and illegal.

    But ... wouldn't you love to know if the paper understood what happened to it? Wouldn't you love to know what happened to their webmaster? Their network administrator?

    In the IT world mistakes like this are often glossed over and not taken seriously. One would expect to be fired over something like this, but alas, they are not.

    The best example of this is the Code Red and NIMDA fiasco. I can't tell you how many admins should have been terminated for not properly patching their systems. It is amazing.
  • by ksw2 ( 520093 ) <obeyeater@gmai[ ]om ['l.c' in gap]> on Wednesday September 26, 2001 @08:44PM (#2355916) Homepage
    What this man did was clearly an act of terrorism.

    I'm glad legislation is in the works to treat him as such. I recommend mandatory life sentence. We cannot remain idle while our nation is being attacked by such brutal "haxorists".

    I recommend mandatory life sentence.

  • In my country he would most likely get away with what he did, with the computer. Maybe with a monetary punishment, but there is a law about 'spreading alarming news' which I believe he did by trying to present the story in different way to the community and this is a crime that could be charged with several years in prison.
  • by AtomicBomb ( 173897 ) on Wednesday September 26, 2001 @08:58PM (#2355962) Homepage
    This case is quite clear cut that Brian West had done something stupid and wrong. He deserves what he gets.

    But, there are cases are not always as clear cut as that. In this case, we can identify his criminal intention from his download of password list then use it to exploit other parts of the system.

    What if the confidential / proprietary info is left in a completely unencrypted/protected state. A few months ago, when my friend was looking up info for a robot toy from a very high profile website, the ColdFusion server encountered some internal errors and dumped out its own scripts and even the **administive password**. My earlybird friend cached the page and showed up later on today.... The intention seems to be benign enough, but the material evidence seems to be the same.

    That's why, when ridiculous convictions really occur, we still need the community, we still need EFF. In some cases, we are the only people who understand what we are thinking...
  • I'm just blown away by the fact people actually defend this guy! We all have to start changing our view on security breaches by bringing in real life analogies.

    If this guy had gone to the front door of his competing ISP, noticed it was unlocked and then walked in, HE WOULD BE GUILTY OF BREAKING AND ENTERING.

    The whole underground movement of "lets push doors to see what's open and make ourselves look good by admitting to breaking and entering" isn't going to cut it anymore in this post terrorism world. He committed a crime plain and simple, doesn't matter if the key was copper or RSA. You are not a good neighbor if you are constantly looking for ways to break into my house. Especially if I don't even know you!!

    It's true, people do need to check their firewalls and whatever other security means they have for exploits, but it does not give anyone a license to go willy nilly on the net looking for exploitable systems. If someone has a system infected by nimda and you see their IP coming across your firewall, yes call them. That's OK cause you are not breaking or entering.

    --toq

    ~~~Moderators, note I posted this with my real account. Unlike the karma whoring anonymous cowards I stand behind my opinions.
  • Can anyone give me any hint to what started people writing Perl as "PERL"? Ok, it is an acronym (more than one, actually), but every single piece of documentation, and every official reference, says "Perl" for the language (and "perl" for the program). Yet people must have copied it from somewhere, for who would choose to hang on to that tedious shift key longer than absolutely necessary? My only theory is that they were mislead by the practice of writing book titles in all caps, but this would suggest that there is a critical mass of simpletons who have seen the cover of these books but never dared to peek inside.

    Now, I even see people write "JAVA", and that's not even an acronym! Though I suppose one might infer that it's Just Another ....

    Would those in attendance mind helping me by gently informing the users of this barbarism that "You sound like a freaking ignoramus!"? While I've got you, could you do the same for (stop here if you have a weak stomache and an appreciation for language) virii [perl.com].

    • Well, this particular document was released by the Department of Justice, and they seem to like writing things in all capitals. Names of companies, individuals, programming languages, FBI special ops teams :) (CART!).. Must be some kind of a lawtype :).

  • Could reality be... (Score:3, Interesting)

    by stox ( 131684 ) on Wednesday September 26, 2001 @09:44PM (#2356134) Homepage
    Is it possible that Brian West was confronted with the following:

    FBI: Mr. West, we'll give you a choice, you can plead guilty and admit to the following and serve a light sentence, or you can fight this for the next five plus years, probably be found innocent, while you and your family starve in the mean time.

    Mr. West: Um..Um...Um....OK, where do I sign?

    Don't believe this can happen? It already has to others. Unless you are an absolute saint, few of us are, you don't stand a chance if the big wheels decide to roll in your direction.
  • Pow? (Score:3, Funny)

    by shredds ( 241412 ) on Wednesday September 26, 2001 @09:52PM (#2356198)
    For a second I was like "thats so cool that batman is a hacker!"...then I remembered thats Adam West, not Brian West.
    Oh well.

  • His cracking (NOT hacking) seems to be really little more than stuff skript kiddies do every day to test people's security. If the FBI wants to prosecute them, all they need to is fetch the complete AOL and @Home subscriber lists.


    The other part - the attempted profiteering - is another matter altogether. I don't see how it's connected to the cracking at all. It's basic Black Market racketeering of information, and that should be prosecuted as such.


    But the cracking? If the original company were competent, they wouldn't have security even an insider could crack. (Dual-key systems, and distributed privilages, are common ways to limit the damage even an administrator can do.)


    Probing and scanning a machine (which includes testing passwords) is not a crime in many States. Only actual damage caused. And, to be honest, that arrangement sounds eminently sensible.


    What we are beginning to see here is the blaming of the use of the computer, when the computer had nothing to do with it. This is the kind of fuel the Furher needs to pass the anti-terrorist measures.


    (Isn't it coincidental that the cracking gets big publicity at the time the bill runs into trouble...)

  • egads! (Score:3, Funny)

    by Dr. Awktagon ( 233360 ) on Wednesday September 26, 2001 @10:01PM (#2356259) Homepage
    Phillip: I say, Bartholomew, have you finished that smashing Practical Extraction Report Language script for your World Wide Web page in Extensible MACro System?

    Bartholomew: Why no Phillip, I have chosen to rewrite it with VIsual editor, and I have used the wonderful Active Server Pages environment on my International Business Machines computer system. Perhaps later I will re-write it in PHP Hypertext Preprocessor.

    Phillip: At least it's not FORmula TRANslation or COmmon Business Orientated Language!

    Both: Ha ha ha ha ha !
  • by zaius ( 147422 ) <jeff@zaius.dyndns . o rg> on Wednesday September 26, 2001 @10:08PM (#2356285)
    That's the first government document I've ever seen discuss various programming languages like perl and PHP... you don't see court orders talking specifically about perl scripts very often...
  • I don't think I've ever seen "Practical Extraction and Report Language" spelled out in the straight press. I wish whomever the writer of the release asked for a definition had told them "Pathetically Eclectic Rubbish Lister". Of course then, they'd probably have just used the acronym.
  • Looks like he wasn't so innocent after all, and justice was served.


    Now...why do legal people send stuff in microsoft-mangled RTF? They made that 'open' standard to share documents, and then they use it in a nonstandard way. dammit.

  • by DeVilla ( 4563 ) on Wednesday September 26, 2001 @11:21PM (#2356628)
    After reading about this case for the first time I felt it necessary to write he DOJ lawyer and state my thoughts. It was the first time I ever felt so motivated. It was astounding that he would be arrested for helping a site with poor security, yet absolutely believable given the state of US law concerning computers, the net and IP.

    I know someone who showed his employer that the Win95 'login' passwords could be considered security since they could by passed with the cancel button, and they chewed him out for "hacking" their computers. He also had a web page about the place he worked. (Nothing rude. He was actually pretty proud of the place.) It had some pictures from a pamphlet that the company would give to customers to learn about the company and what they did. They fired him claiming he was trying to impersonate the company on the web and also claimed he was violating their copyright by using the pictures from a pamphlet that anyone could pick up for free.

    Anyhow, It figures the first time I speak out, the case is a lie at face value. I have to admit I feel used and perhaps even mildly abused. I would write Sheldon Sperling back to apologize but I figure he has gotten enough email about this case. I am glad I had the presence of mind to mention in my message to him that I know the defendant could be lying and in that case my statements might not apply.
  • Interseting to note (Score:2, Informative)

    by q-soe ( 466472 )
    How easy it is to seperate the Sysadmins and suchlike on here from everyone else (excepting the trolls -- we know what they are)

    The sysadmins and pros and suchlike who work in IT agree this guy committed a crime or provide rational arguments as to why he didnt - they can rationally understand it and even maybe support the FBI - they understand what they did, have read the articles and post insightfull comments and thoughtfull questions and maybe even have a laugh.

    The other group include those who thing all hackers are cool and that the goverment has no right to keep them out, they throw up any argument no matter how tenuous to defend the actions of Mr West and then even resort to saying he was forced to confess under duress ! then theres the conspiracy theorists and the lame he didnt steal anything of value (which is wrong guys as they law treats theft of data like theft of anything else)

    How much time will the actions of someone who is now a confessed criminal who wasnt sophisticated enough to cover his tracks going to get you all in a lather ? Hasnt he had his 15 seconds of fame yet?
  • I read a post further down that stated that possession of a protected (or supposedly protected) password file implies intent (to commit a crime with said list).

    Here's a hypothetical situation: What if some malicious company made a webpage that when I connected to it, it downloaded the password file to a cookie on my hard drive. I don't know it's there. Then they come after me, claiming that I hacked into their system. True, I could say that I didn't know how it got there, and if I could get a person to show that their code downloaded the file (which would probably require a subpoena to look at their HTML code), that could make a good defense that I had no intent.

    But what if I can't get that kind of help? What if I get a bone-head judge? Could someone be sent to jail for doing nothing more than browsing a web-page? It does seem that this guy was an damn-big idiot at least, and a malicious cracker at most, but it seems like cops are getting overzealous in prosecuting tech "crimes" without understanding what's really going on.

    • Could someone be sent to jail for doing nothing more than browsing a web-page?

      Highly unlikely. The district attorney pointed out a defense in a press release [politechbot.com] in response to public concern about the case:
      A suspect's intent, the amount of loss occasioned by the behavior, and the context of the alleged offense are among many factors that are within the scope of the investigation and weighed in such prosecutorial decisions. Only after all these standards and issues have been considered would the United States Attorney's Office for the Eastern District of Oklahoma prosecute an individual for a criminal offense.

      Federal DAs are reluctant to prosecute unless there is a high probability of conviction and a low probability of reversal on appeal.

      it seems like cops are getting overzealous in prosecuting tech "crimes"

      Mostly one sees complaints about the light sentences hacker receive when the putative [m-w.com] damages are in the $billions. These sentences can hardly be an incentive for police to pursue what you call "tech crimes".

      Log files of virtually any Web servers will indicate thousands of attempts at hacking. In terms of sheer quantity it must be the most common crime by far. I'd like to see a little more zealousness in pursuing these jerks.

  • by tiny69 ( 34486 ) on Wednesday September 26, 2001 @11:43PM (#2356717) Homepage Journal
    OK
    Who here wrote a scathing letter to the editor or someone else regarding this incident when it first came out?

    I should see more hands that!

    For those that did raise their hand, did you write them an apology for your uncalled for comments? Go on, raise your hand.

    I didn't think so.....

  • by John Murdoch ( 102085 ) on Thursday September 27, 2001 @09:07AM (#2358180) Homepage Journal

    Yeesh!

    There are a ton of breathless posts up on this subject, all saying "Gosh! He plead to the Fed charges--that means he's a crook!" And, as is all too usual for /. commentators, everybody seems to have stopped reading the prosecutor's press release right there.

    Let's stop right there for a moment: this is not a news article. It is a press release, issued by the Federal prosecutor. Press releases, on their face, are designed to promote a person, product, or cause--they make no pretense at all of being comprehensive or factual. They are more than 'spin'--they are a carefully-structured form of shaping the truth. In other words, when your government lies to you, it usually uses a press release to do so. "We'll protect your civil liberties while monitoring your email and listening to your phone calls?" Press release. The many public benefits of Echelon? Press release. The pressing need for a national ID card? Soon to be a press release.

    So let's put on our critical thinking hats, kiddies, and re-read this press release with a little more critical attitude. Let's start with the simple facts: Brian West was cruising a news site; he found a security flaw; he downloaded a couple of PERL scripts; he called the editor of the paper the next day and told the editor he'd found a flaw. The newspaper editor flipped out, called the FBI, the FBI showed up at Brian West's office, Brian West (really stupidly) blithely gives the FBI permission to search his hard drive and copy all of his files, and gets charged with hacking. Right?

    Now let's think of the context: hackers are Evil. They get long jail terms--they do hard time. Nailing a hacker has all kinds of sex appeal for a prosecutor--computer crime is very juicy stuff for the media. (The best example is right here on SlashDot--look at how many people have read this bit of fluff and leapt to post comments about how wicked this West fellow was, and how much we should apologize for all those nasty things we said about the cops.) So just how "nailed" was West?

    You'll have to go all the way down to the bottom of the press release: the maximum penalty for this misdemeanor (speeding is a misdemeanor) is a year in jail. But the prosecutor's press release says explicitly that West will probably get probation. And (read a little higher up) West has been released without bail--solely on his promise to appear--pending sentencing.

    Now--why would the prosecutor's self-issued press release admit that this heinous computer crook has received a complete pass? That he won't do a day in prison, won't pay a penny in fines, and has been released without bond pending sentencing? Remember: this is the prosecutor's press release, so this is the most positive spin the prosecutor can put on this.

    Because the prosecutor didn't have a case--but West had probably run out of money. Note that West had two lawyers to pay (not that legal fees in Edmond, OK or Cleveland, TX are gargantuan, but presumably West wasn't exactly rich either). There are lots of times in the American legal system where justice is lost in the rush to expediency. "Criminals" plead guilty to misdemeanors with no penalties because they can't afford the cost of a trial. Prosecutors demand guilty pleas--even if there is effectively no sentence--in order to chalk the case up as a "win". This, I'd bet, is precisely one of those cases.

    Ask yourself this question: if the Justice Department had issued this kind of press release for Dmitry Skylarov, would you regard it as a rousing vindication of the Feds--or a moral victory for the defendant?

    • Apparently critical thinking isn't very popular at all.

      Your analysis makes a lot of assumptions, the primary one being that what this guy did was harmless and unassuming.

      There were quite a number of us at the time who read the original description, and when we got to the part where after he noticed the initial flaw he kept probing downloading files and passwords, etc., thought "Why?"

      This guy went too far. It's quite possible he didn't mean any harm, and that's why the prosecutors are being lenient on him.

      But he was clearly a clueless numbskull who deserves to get his hand slapped.

      You need to lose your preconceived notions of the sexiness of computer crimes, or that law enforcement officers don't understand the issues. That might have been true in the 80's and even ten years ago, but times have changed.
  • ... I'm sure everything else slashdot has linked to is still entirely accurate....
  • by szcx ( 81006 )
    To the drones who blindly believed his side of the story without looking into it further, I have two words for you; suck [slashdot.org] it [slashdot.org].

/earth: file system full.

Working...