The following copy was made on 8/18/01 from its source on LinuxFreak at:
http://www.linuxfreak.org/post.php/08/17/2001/134.html <-- go to this to add
in/post your own follow-up comment.
----------------------------------------------------------------------------
Cyber Citizen lands Felony Charges?
Posted Aug 17, 2001 by gh0ul
A good deed may
lead to prosecution
for Brian K. West,
a 24 year old sales
and support
employee for an
internet service
provider in SE
[Brian K. West (white shirt) being questioned] Oklahoma. Mr. West
has become a
statistic for the
Computer Analysis
Response Team
because he alerted
a local business to
a serious security
flaw in their
website.
On February 1, 2000, one of West's co-workers created a banner
advertisement to be placed on the Poteau Daily News website as
part of a legitimate advertising campaign for his employer. To
test how how the finished ad would look on the site, West clicked
the `Edit' button on Microsoft's Internet Explorer. This action
brought up Microsoft FrontPage and should have created a local
copy of the web page, allowing West to do a mock-up of the site on
his own computer.
In this case, however, Microsoft FrontPage displayed some unusual
files due to a server misconfiguration. After some confusion, West
realized that the webserver hosting the Poteau Daily News site
required no authentication to edit any file on the site. The lack
of authentication meant that anyone could edit the Poteau Daily
News website by using FrontPage, without ever having to provide a
password. Clearly, this was a massive security hole.
On February 2, after testing the hole to make sure there really
was a problem, Brian West contacted the editor-in-chief of the
Poteau Daily News, Wally Burchett, to tell him about the problem
with his company's web site. He did this even though the site was
hosted by Cyberlink, a company in direct competition with his own
employer.
West mentioned the flaws in the Cyberlink webserver to Mr.
Burchett. When he did, Mr. Burchett became very upset and said
he'd call West back. When Mr. Burchett called back, he recorded
the call and asked for details on the server problem. In the
course of explaining the problem, West let Mr. Burchett know that
other companies, including West's own bank, had experienced
similar problems configuring server software. Following their
phone conversation, Mr. Burchett gave the tape to the Poteau
Police Department. That's when the FBI got involved.
The FBI posed as employees of the Poteau Daily News and asked West
about dedicated internet access (T1 or better). They called for
the best time to come visit him at Cwis Internet Services, the
company where he works. After setting up a meeting, the FBI
arrived on Feb. 11, 2000. When the FBI, posing as the `main
office' of the Poteau Daily News, asked about the problem with the
pdns.com site, West explained the details regarding the pdns.com
(Poteau Daily News) website, including how to fix the server
misconfiguration. At this time, he did not know they were FBI
agents. As part of the explanation, West clicked edit in IE to
show them how the bug worked. As it happened, the site was still
wide open, two weeks after he had explained the vulnerability and
how to fix it to the editor-in-chief of the paper, Wally Burchett.
After the explanation, one of the agents claimed he needed to get
something out of his car. When he left, a different agent showed
up with a badge and a search warrant. West and the others
cooperated with the FBI agents in the search. The FBI spent all
day taking data. They also refused to promptly provide a copy of
the Search Warrant when one was repeatedly requested.
Almost 16 months after the FBI searched Mr. West's work place, a
U.S. Prosecuting Attorney in Muskogee, Oklahoma, called his lawyer
stating that they wanted him to accept a felony conviction and 5
years probation. Brian K. West has yet to be charged with or
convicted of any crimes, yet the prosecutor claims that if he
doesn't get convicted under Title 18 Section 1030 of the USC, then
the prosecutor would try for wire fraud.
Brian K. West, who did nothing more than try to get a local copy
of an html document to pre-test how an ad would look on a webpage,
using Microsoft FrontPage, may well have his reputation ruined and
his finances destroyed as a result of his actions. He did not
deface the site. He did not damage anything. He accidentally found
a security hole, tested it to make sure it was real, and then
called the owner of the site to inform him of the problem. In
short, West faces a felony conviction for telling the Poteau Daily
News that he discovered a serious misconfiguration in their
server.
Documentation on this case, in .pdf format (Acrobat) can be found
at www.bkw.org/pdf
Contributions to cover the legal expenses for Brian K. West may be
made to brian@bkw.org via the `Donate' link below.
[0]
The attorney has notified West that a $10,000.00 retainer will be
required, plus ongoing expenses.
Can't donate? Wish to help this case? Contact:
Department of Justice
E-mail: SHELDON.SPERLING@usdoj.gov
Subject: ATTN: Sheldon Sperling
Post Your Comment:
Comment on Article
Richard Holt <rholt@telcel.net.ve> Aug 17, 2001
I am ashamed of the US government. I quess this means there will
be fewer and fewer good samaritans. I suppose we deserve what we
get.
------------------------------------------------------------------
Comment on Article
Rex Davis <adamrd@okstate.edu> Aug 18, 2001
What are these people thinking? He found a security hole and tried
to get it fixed for crying outloud! Its like getting arrested for
smelling gas outside and calling 911. West did absoulely nothing
wrong, in fact he did it everything right. Filing charges on this
will be a big mistake and a waste of money, for West and
taxpayers. Not to mention an utter embarrassment to the DOJ and
other officials who lack the basic understanding of computers to
even begin building a case on this. Goodluck West, and shame on
you DOJ. p.s (A simple computers for idiots book would have this
case dropped in court.)
------------------------------------------------------------------
Comment on Article
Janus Shelley <Lunastorm@MyRealBox.com> Aug 18, 2001
This is depressing, but would they actually have anything against
him if they tried to get him for wirefraud? As for the refusal to
show him the search warrant, that sounds like something for the
ACLU. Hopefully this will all end okay and Wally Burchett will be
fired and die alone and miserable.
------------------------------------------------------------------
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
Oh Wally was already fired. But I have also found something else..
if you do a whois on clnk.com you find the billing contact is Evan
Gallant.. I wonder if they are any relation to Jeff Gallant the
Assistant Attorney on this case! A big ole HRMMMMM
------------------------------------------------------------------
Comment on Article
Jonathan Edwards <jonatha@qx.net> Aug 18, 2001
In this case, however, Microsoft FrontPage displayed some unusual
files due to a server misconfiguration. ... The lack of
authentication meant that anyone could edit the Poteau Daily News
website by using FrontPage, without ever having to provide a
password. Item 19 in the affadavit implies that the logs show one
of those "unusual files" contained userids and passwords, one of
which was subsequently used. If I were on the grand jury I would
require a good explanation for this before I voted no true bill...
------------------------------------------------------------------
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
its was like putting your htpasswd file in your public.html
folder. I clicked on the file in the Frontpage Explorer.. It was
odd that they would put a password file right there where anyone
could have requested it.. to besure thats what this was I did put
one of the user/pass combos in the backend script to see if that
was what it was.. and thats was it. its like seeing an open door..
with keys laying there in the floor.. you put the key in the lock
to see if those keys belong to that door but the door was already
unlocked and wide open when you walked up! Is that simple enuf?
------------------------------------------------------------------
Comment on Article
Capt. Jeffry C. Gilb <bosunj@rocketmail.com> Aug 18, 2001
Just another FBI Bureaucriminal and a Federal Prosecutor bucking
for a promotion. Assholes!
------------------------------------------------------------------
Comment on Article
Jonathan Edwards <jonatha@qx.net> Aug 18, 2001
Is that simple enuf? Yep. Check your PayPal account...
------------------------------------------------------------------
Comment on Article
Jim G <foo@bar.com> Aug 18, 2001
I'm suprised to see a misspelling in a letter from a United States
Attorney. [ "Sincerly" in usdoj-letter.txt ] Don't we pay those
guys enough to use spelling checkers?
------------------------------------------------------------------
Comment on Article
Brian K. Wes <brian@bkw.org> Aug 18, 2001
I was not in a very good mood.. I typed the letter in after
recieving it in a fax, the spelling mistake was probably mine...
I'll double check it.. Pretty sure you wouldn't type very good
after recieving a similar letter
------------------------------------------------------------------
Comment on Article
Jeff Hannon <jjhannon@hotmail.com> Aug 18, 2001
Aside from all the other reprehensible `themes' which this case
displays, it also requires knowledge of the story's setting...to
be in proper context. As a native Oklahoman I can tell you for
sure: 1. SE Oklahoma is not a bastion of internet or PC
technology. I'm seriously surprised they have ISP service at all
(it literally is in the 3rd World--no disrespect intended). 2. Law
enforcement officials associated w/ this culture are probably
doing very well if they can operate an AOL dial-up connection,
much less understand its mechanics. 3. `Public' service jobs in
the 3rd World tend to be granted politically and have very little
to do w/ education level. It sounds like no one w/ the exception
of Mr. West really knows what they are talking about or dealing
with...still no justification for the actions taken.
------------------------------------------------------------------
Comment on Article
<anonymous@linuxfreak.org> Aug 18, 2001
My take... Web guy finds amazingly easy to discover security hole
tells compeating ISP about defect in it's own system. Compeating
service sees an easy way to eliminate a skilled profesional.. or
they are idiots and just freak out. FBI is called.. FBI agents in
question are fanatics about arresting anyone with technical skill.
Ideal hacker busters... both good guys and bad guys.. That is
where we are today... I thought this nonsence was over with back
in the 1990s.... The next step is judge shopping. This being
illegal now it's safe to get the case tossed reguardless of
rulling... The EFF should presue this one with some lawsutes of
it's own.. I think we can start with the persons who called the
FBI in the first place... I suspect they have an agenda in this..
Think it this way... Say a RedHat employee were to find a sereous
defect in Windows.. tells Microsoft... Microsoft sends FBI...
agenda to destory the reputation of a Redhat employee and by proxy
Redhat itself... I think it's safe to say Microsoft is well byond
this... (also safe to say Redhat is byond able to find said defect
in the first place) But some companys have been know to get into
some sad behavure..
------------------------------------------------------------------
Comment on Article
anonymous <anonymous@anonymous.com> Aug 18, 2001
Please use something besides this lame PayPal system for
donations. Amazon Honor System, for example. I tried for 15
minutes to make a $50 donation and I still don't know if it worked
or not. It complained that my credit card verification number was
wrong - it wasn't. I don't want to join PayPal or be added to
their spam list or have them store my credit card number. I just
want to make a donation and I am not going to spend all morning
trying to do it.
------------------------------------------------------------------
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
hrm.. I wasn't aware of the Amazon system... I set it up:
http://www.amazon.com/paypage/P3EMCVKJQX404O Thanks, Brian
------------------------------------------------------------------