******* Previous message: http://www.politechbot.com/p-02414.html ******* From: rmsat_private (Richard M. Smith) To: <politechat_private>, <toddat_private> Subject: RE: Feds target Oklahoma good samaritan who noted web security hole Date: Mon, 20 Aug 2001 19:04:09 -0400 Declan and Todd, >>> In addition to the story above see: http://www.bkw.org/pdf/ for several >>> collateral documents, including correspondence from DOJ and a detailed >>> description of how this ridiculous travesty unfolded. I think that anyone who is interested in this story, should carefully read over the 4 pages of comments posted after the Linux Freak story. Apparently some of the players involved in the situation are providing information beyond what the story itself had to say. My impression after reading the comments as well as some earlier news reports is what happened is a bit more complicated than the Linux Freak story leads one to believe. This news story in particular is very interesting: http://www.bkw.org/pdf/stigler-news-hack.pdf (Please ignore the dumb definition of "hacking"). I have always felt that it can be very risky to do too much research on security holes on other people's Web servers without their permission. It is particularly problematic if the servers belong to a direct competitor which apparently is the case in this story. The reason that the FBI and US attorney's office got involved is that they are alleging that a few hundred files where downloaded by Brian West from a competitor's Web server. Some of this files included password files and Perl scripts owned by the competitor. Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org ******* Date: Mon, 20 Aug 2001 22:02:32 -0700 From: Todd Jonz <toddat_private> To: "Richard M. Smith" <rmsat_private> Cc: declanat_private Subject: Re: Feds target Oklahoma good samaritan who noted web security hole Richard writes: > Apparently some of the players involved in the situation > are providing information beyond what the [Linux Freak] > story itself had to say. Including the FBI in its affidavit, which I've only just read: | 15. ...West indicated to Burchett that West had accessed | the PDNS Web site by obtaining the user names and passwords. which contradicts Linux Freak's claim that the site was accessed without authentication. Furthermore: | 19. ...the logs reflect that the attempts to connect were | not simply requests to view the webpage, but attempts to | access the files and Perl scripts that cause the webpage | to operate....[West's presumed host] was able to enter a | command line to access the file containing user | identifications and passwords... No doubt about it: this was a simple case of breaking and entering. Declan, my sincerest apologies for the false alarm. -- Todd Jonz When cryptography is outlawed, toddat_private bayl bhgynjf jvyy unir cevinpl. ******* ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 08:19:59 PDT