******** From: "Cherie M. Chappell" <cmcat_private> To: <declanat_private> Subject: Brian West - Defense Press Release Date: Sun, 26 Aug 2001 19:26:06 -0500 Defense Press Release - For Immediate Release In response to U.S. Attorney Sheldon (Shelly) J. Sperling's web posted News Release of 8/24/01, posted at http://www.politechbot.com/p-02430.html Mr. Brian West's defense team makes the following response: It appears from the facts of this case that Mr. West was allegedly using Microsoft Windows, Microsoft Internet Explorer, and Microsoft FrontPage software (all registered trademarks of the Microsoft Corporation) when he was inadvertently exposed to the Poteau Daily News & Sun's website directory tree. The web hosting provider for the Poteau Daily News & Sun, Cyberlink, was also allegedly running Microsoft NT 4.0 - IIS and Microsoft FrontPage with server extensions enabled. >From these facts it appears that Microsoft's software may have caused this unfortunate situation to occur. Mr. Sperling or the Federal Bureau of Investigation may be wise to investigate Microsoft as a possible co-defendant or party in this case. It appears that Microsoft's software at issue in this case was developed and/or produced after the original October 1984 enactment of the statute. If this case goes to trial, the Microsoft personnel who developed these programs will likely be subpoenaed as witnesses by Mr. West's defense team. Or if it is found that this software contributed to, participated in or caused the events under investigation to occur, Microsoft could be indicted under the same statute. It may be appropriate to ask Microsoft to recall these potentially statute-violating products from the market or to provide patches to all of the affected software owners, worldwide. (The language of the statute provides for worldwide jurisdictional authority - if the computer is "used in interstate or foreign commerce or communication".) This case may also involve Oklahoma state antitrust issues. Under Title 18 of the United States Code, Section 1030(a)(2)(C), the federal statute under which the federal investigation against Mr. West is proceeding, it is a crime for: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication;" The statute also provides definitions for certain key phrases used in the statute. 18 USC 1030(e): As used in this section - (1) the term ''computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term ''protected computer'' means a computer - (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication; (6) the term ''exceeds authorized access'' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; This statute may be fatally flawed. First, there is a question of the Constitutionality of this statue under the 1st and 9th Amendments to the United States Constitution. Second, everyone who places Cookies on millions of computers around the world without the authorization of internet users could be criminally prosecuted under this statute, particularly in light of the statute's definitions of "protected computer" and "exceed authorized access." Third, senders of certain kinds of SPAM (not the lunch meat) may also be subjected to criminal prosecution under this statute. Every U.S. Attorney in the country may have the power to criminally prosecute SPAM'ers under this statute. Although Mr. Sperling notes in his posting (cited above) that, "[t]he question under investigation is whether valuable intellectual property has been improperly converted" he should note that the provisions of the Digital Millennium Copyright Act allowing criminal prosecution for merely looking at or caching code do not apply in this case, as that particular portion of the DMCA was not enacted until October 2000, a full nine months after the events unfolded in Mr. West's case. Cyberlink or it's owner(s) may be investigated by the Office of Oklahoma Attorney General Drew Edmondson for possible criminal antitrust violations under Oklahoma law (79 O.S. 203(A) and (B)) http://www.oscn.net/applications/oscn/deliverdocument.asp?citeID=89728 From the facts in this case, it appears that Cyberlink allegedly exercised it's monopoly market power in the Poteau internet service provider market and allegedly attempted to prevent Mr. West's company from gaining entry into that market by allegedly misinforming law enforcement about Mr. West's contact and involvement with the website of the Poteau Daily News & Sun. Mr. West's defense team has decided to issue this press release in response to Mr. Sperling's press release that was web posted at 21:01 (9:07pm) on Friday, August 24, 2001, at http://www.politechbot.com/p-02430.html and because Mr. West's situation has generated a great deal of public interest. Mr. West and his defense team thank you for your interest in his situation. -Cherie M. Chappell and Kenneth R. Poland For further information contact: Cherie M. Chappell, Esq. Chappell Law Firm, P.L.L.C. P.O. Box 5243 Edmond, OK 73083-5243 405.340.7755 voice 405.340.7757 fax Email: cmcat_private URL: www.chappelllawfirm.com ******** From: "Thomas Junker" <tjunkerat_private> To: declanat_private Date: Sun, 26 Aug 2001 16:34:49 -0500 In-reply-to: <5.0.2.1.0.20010826105411.00a36730at_private> On 26 Aug 2001, at 11:22, Declan McCullagh wrote: > Date: Sat, 25 Aug 2001 19:41:18 -0400 > From: John Noble <jnobleat_private> > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with > statement > > It's an interesting defense -- accidental penetration. It's more than interesting: we seem to have entered the age of Click on a Link, Go to Jail. Amplification below... > Maybe somebody on > your list, Declan, who knows more about network security can answer this > question: if a hypothetical cracker was nailed by real-time monitoring -- a > "gotcha" while online and inside the network -- would he likely know it or > suspect it? No, but the question presupposes something not suggested by the published facts I have so far seen: that Mr. West was "inside the network." According to the reports he simply clicked on a function in Microsoft Front Page to capture a Web page for use as a sample and, to his surprise, found that Front was allowed editing access to that page. That's like walking up to a door in an unfamiliar office building to read the occupant information and finding one's self sucked through the door and to an open file cabinet, whereupon the hidden cameras film one "penetrating" someone's confidential information. It was Front Page, a tool from a company notorious for going out of its way to facilitate insecure accesses by automating security holes, that did the penetrating, and that was only possible because the site had not been secured in any way. No doubt leaving the site wide open to public modification is the default in Front Page, which would be true to form. Another analogy could be visiting a business office for information, seeing a sign saying, "Public information this way," following the arrow, opening the door to which it points, finding one's self in a room full of file cabinets, briefly examining some file folders thinking they must contain the public information, discovering that the information is most decidedly not of a public nature, leaving, reporting the lack of security to the management, and being accused of "penetrating" the company's files. It is absurd. Had Mr. West used something like WebWhacker to capture pages, or even "Save As" in his browser, he would have been in no danger of "penetrating" anything, intentionally or otherwise. His basic mistake was in using software that tries to do Dangerous Things at the touch of an innocuous button. His second mistake was pride -- he had to tell someone how smart he was. Reporting an unlocked door to clueless weasels is probably a good way to be asked, "And what were *you* doing opening that door?" and to be accused of trespassing. Or to have detectives show up and ask one, "Can you show us this door you found unlocked, and can you show us exactly how you opened it?" Translate all this into the context of doors with ambiguous markings in public offices where public information is advertized to be available and it becomes clear how silly it is. > Or can we assume that his voluntary report of his accidental > accomplishment was the product of good faith and stupidity? Yes, overwhelmingly so. To suggest that he somehow tipped to some form of monitoring by using Front Page and then 'fessed up to seem of innocent intent is a far reach. And what monitoring, for that matter? It seems unlikely that people disorganized enough to leave their Website completely open to editing by Front Page by anyone on the planet would be together enough to be monitoring their network in real time for intrusions. More likely the "monitoring" was the examination of logs after the fact. Something else I have not seen mentioned is this: many TCP/IP tools, particularly browsers and other Web tools, incessantly send requests for documents until they receive an answer. Crank up a sniffer or other form of raw TCP/IP monitoring and point a browser at a host that doesn't exist or doesn't answer on Port 80. You will see the browser send dozens, perhaps hundreds of requests. There is little in such traffic logs to suggest any correlation between the numerous "attempts" and any wilfullness or repeated action on the part of the person using the software making the requests. Worse, the user is unaware of all that activity, seeing only the spinning logo of the Web browser, for example, as it tries to contact a Website. It is as if your phone had an automatic redial feature that would continue to dial until achieving a connection. It would be as mindless to count the number of calls as some kind of indication of intent or persistence on the part of the caller as it may be to count "attempts" to connect to something in the Internet, particularly something intended to be connected to by its very nature and by tools that customarily contain automatic retry functionalities. Have we now reached a place in La-La Land where each of 100 or more TCP port connection tries automatically made by a browser is to become a "count" in an indictment? > Date: Sat, 25 Aug 2001 11:30:21 -0700 > From: Anthony Mournian <mournianat_private> > > August 25, 2001 > > ... > > Somehow this whole thing of Internet security has begun to turn upside > down. Yea, verily! > It has a chilling effect on free and open communication when it > becomes a crime to talk about the possibility of breaching security, or > to discuss it in an open forum. It has a chilling effect on free speech > when the U.S. Government decides to act like the 800 lb gorilla and go > after a person like Brian K. West, who did in fact look at the content > of another person's computer, and had the common sense to report the > complete lack of security to the computer's owner. Very well put. > Funny, I feel even by writing you this note I invite > investigation by Big Brother. As do I by writing to Declan with the possibility that he may include my message in his public list. > ... > > Much of this note is off the point, and yet is directly on point. The > U.S. Government is too much in many of our lives already, and this > newfound Mecca of computer investigation and The Hammer for those who > even technically step off the line, as apparently did Mr. West, is a bit > too much. It is way too much. It is probably to be expected, though. People, including law enforcement, have demonstrated some difficulty in translating concepts well settled in non-computer contexts into the world of computers and Internet. In time this will all shake out but there will be many casualties along the way. In a few decades readers of old accounts of such bizarre applications of law and legal concepts as we are today witnessing will no doubt shake their heads over the silliness of it all, much as we can now gape at the absurdity of the Salem witch trials and others such excursions, but they will in no way gain a sense of the horror of being one of the casualties. There does indeed appear to be a flight of common sense from most all walks of modern life, from the hamburger flipper who replies to an order for a burger to go by asking, "Here or to go?" to the legion of businesses whose Customer Service is less useful than the time-of-day recording to elected representatives who fall all over themselves to offer and pass legislation clearly prohibited by various constitutions. It should not be all that surprising that law enforcement entities are seizing on new computer-related legislation as if the underlying concepts had just been imported from another galaxy and were to be taken without regard to common sense or any other established legal wisdom. On the one hand people in general are having difficulty applying what they already know to the Internet; on the other hand it is in the nature of law enforcment to seek any advantage at the cost of any principle or any loss of rights for all. What we cannot yet see is how far down the road of lunacy this trend will go before it is corrected. Regards, Thomas Junker tjunkerat_private ******** From: "Peter Hollings" <phollingsat_private> To: <declanat_private> References: <5.0.2.1.0.20010826105411.00a36730at_private> Subject: Re: More on Brian K. West, DOJ, and "Good Samaritan" prosecution Date: Sun, 26 Aug 2001 14:07:07 -0400 I suspect that most IT security managers would initially respond to an intrusion by turning on programs that would log the intruder's activities. To prevent re-occurance, they'd want to know the intruder's identity, method of penetration, activities, etc. Also, any form of prosecution would depend on this. (See, for example: http://www.cert.org/security-improvement/modules/m06.html .) Thus, the intruder would likely NOT KNOW immediately that his presence had been detected.) The second question, whether someone could "accidentally" intrude on someone else's computer is more speculative. In general, people don't accidentally access, much less penetrate, another computer, but it's possible, just like it's possible for a legitimate deliveryman knocking at a door to find that it swings open (because it's unlatched). Ultimately, I think that the important issues are things like motivations, damages, knowledge that it was a secure area being intruded upon, etc. Peter Hollings ******** From: mjinksat_private Date: Sun, 26 Aug 2001 12:43:56 -0500 To: Declan McCullagh <declanat_private> Cc: jnobleat_private Subject: Re: FC: More on Brian K. West, DOJ, and "Good Samaritan" prosecution On Sun, Aug 26, 2001 at 11:22:57AM -0400, Declan McCullagh wrote: > > From: John Noble <jnobleat_private> > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with > statement > Cc: gharlanrat_private > > It's an interesting defense -- accidental penetration. Maybe somebody on > your list, Declan, who knows more about network security can answer this > question: if a hypothetical cracker was nailed by real-time monitoring -- a > "gotcha" while online and inside the network -- would he likely know it or > suspect it? "An intruder" given full shell access to the machine in question could find out anything about it, within reason, but from what I've read Mr. West is not alleged to have had that kind of access. It sounds like he got read-write access to a section of the filesystem, but probably not an area where any intrusion detection systems would be residing. Was he caught on any monitoring systems? > Or can we assume that his voluntary report of his accidental > accomplishment was the product of good faith and stupidity? I take some issue with the implication that the incident could not have happened casually. Whether it did or not is apparently open to question, no doubt we'll be hearing more about exactly what happened and when. But as I read the accounts presented so far, there is every reason to believe that the initial intrusion _could_ have happened almost before Mr. West had a moment to consider the implications of what he was doing. The alleged misconfiguration was that bad, that easy to exploit. One might ask then, why Mr. West did not immediately cease his actions, why he continued to download files if he knew that his access was illegitimate. I don't want to speculate on Mr. West's state of mind or intentions at the time, but a hole this egregious can outrage a technician, and my own first impulse would probably be to alert the owner of the web site, with proof included. After all, without proof I'm just smearing a competitor. Next an assertion without rigor but which I think bears some intuitive validity: a crime which does not feel at all like a crime, perhaps because of the ease with which it may be committed, should probably be viewed with a certain degree of leniency. Taking a shortcut across someone else's lawn is trespassing, but it's hardly breaking and entering. If someone leaves a business associate's private documents laying around on their front lawn, and a casual passerby picks them up -- well, technically that's stealing. But most of the police types and lawyers I've met would probably laugh at the notion of prosecuting the guy who picked up an unprotected bundle of documents lying on a lawn, rifled through them, realized who they belonged to, and then handed them off with the message "hey I found these on your buddy's lawn." Maybe he went looking, maybe he had something to gain, but one thing that seems clear to me is that without a glaring (negligent?) error on the part of the ISP, none of this would have been possible, and it seems reasonable to think that the ISP shares at least some responsibility for any harm inflicted. As Mr. Mournian seems to suggest in his own letter, the fact that the Internet was involved should not cloud the nature of what actually took place. > John Noble Michael Jinks ******** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 19:09:58 PDT