Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: DOJ prosecution of "good samaritan" may be justified after all?

From: Declan McCullagh <declan () wired com>
Date: Tue, 21 Aug 2001 11:02:58 -0400
*******
Previous message:
http://www.politechbot.com/p-02414.html
*******

From: rms () privacyfoundation org (Richard M. Smith)
To: <politech () politechbot com>, <todd () tj org>
Subject: RE: Feds target Oklahoma good samaritan who noted web security hole
Date: Mon, 20 Aug 2001 19:04:09 -0400

Declan and Todd,

  >>> In addition to the story above see: http://www.bkw.org/pdf/ for
several 
  >>> collateral documents, including correspondence from DOJ and a
detailed 
  >>> description of how this ridiculous travesty unfolded.

I think that anyone who is interested in this story, should carefully
read over the 4 pages of comments posted after the Linux Freak story.
Apparently some of the players involved in the situation are providing
information beyond what the story itself had to say.  My impression
after reading the comments as well as some earlier news reports is what
happened is a bit more complicated than the Linux Freak story leads one
to believe.  This news story in particular is very interesting:  

   http://www.bkw.org/pdf/stigler-news-hack.pdf

(Please ignore the dumb definition of "hacking").

I have always felt that it can be very risky to do too much research on
security holes on other people's Web servers without their permission.
It is particularly problematic if the servers belong to a direct
competitor which apparently is the case in this story.

The reason that the FBI and US attorney's office got involved is that
they are alleging that a few hundred files where downloaded by Brian
West from a competitor's Web server.  Some of this files included
password files and Perl scripts owned by the competitor. 

Richard M. Smith
CTO, Privacy Foundation
http://www.privacyfoundation.org

*******

Date: Mon, 20 Aug 2001 22:02:32 -0700
From: Todd Jonz <todd () tj org>
To: "Richard M. Smith" <rms () privacyfoundation org>
Cc: declan () well com
Subject: Re: Feds target Oklahoma good samaritan who noted web security hole

Richard writes:

        > Apparently some of the players involved in the situation
        > are providing information beyond what the [Linux Freak]
        > story itself had to say.

Including the FBI in its affidavit, which I've only just read:

        | 15.  ...West indicated to Burchett that West had accessed
        | the PDNS Web site by obtaining the user names and passwords.

which contradicts Linux Freak's claim that the site was accessed
without authentication.  Furthermore:

        | 19.  ...the logs reflect that the attempts to connect were
        | not simply requests to view the webpage, but attempts to
        | access the files and Perl scripts that cause the webpage
        | to operate....[West's presumed host] was able to enter a
        | command line to access the file containing user
        | identifications and passwords...

No doubt about it:  this was a simple case of breaking and entering.
Declan, my sincerest apologies for the false alarm.


--
Todd Jonz                               When cryptography is outlawed,
todd () tj org                          bayl bhgynjf jvyy unir cevinpl.

*******



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: