FC: Brian K. West's defense lawyer replies to U.S. Attorney

From: Declan McCullagh (declanat_private)
Date: Sun Aug 26 2001 - 19:02:49 PDT

  • Next message: Declan McCullagh: "FC: Paul McMasters on Vanessa Leggett still in jail for 37 days"

    ********
    
    From: "Cherie M. Chappell" <cmcat_private>
    To: <declanat_private>
    Subject: Brian West - Defense Press Release
    Date: Sun, 26 Aug 2001 19:26:06 -0500
    
    Defense Press Release - For Immediate Release
    
    In response to U.S. Attorney Sheldon (Shelly) J. Sperling's web posted News
    Release of 8/24/01, posted at http://www.politechbot.com/p-02430.html  Mr.
    Brian West's defense team makes the following response:
    
    It appears from the facts of this case that Mr. West was allegedly using
    Microsoft Windows, Microsoft Internet Explorer, and Microsoft FrontPage
    software (all registered trademarks of the Microsoft Corporation) when he
    was inadvertently exposed to the Poteau Daily News & Sun's website directory
    tree.  The web hosting provider for the Poteau Daily News & Sun, Cyberlink,
    was also allegedly running Microsoft NT 4.0 - IIS and Microsoft FrontPage
    with server extensions enabled.
    
     >From these facts it appears that Microsoft's software may have caused this
    unfortunate situation to occur.   Mr. Sperling or the Federal Bureau of
    Investigation may be wise to investigate Microsoft as a possible
    co-defendant or party in this case.
    
    It appears that Microsoft's software at issue in this case was developed
    and/or produced after the original October 1984 enactment of the statute.
    If this case goes to trial, the Microsoft personnel who developed these
    programs will likely be subpoenaed as witnesses by Mr. West's defense team.
    Or if it is found that this software  contributed to, participated in or
    caused the events under investigation to occur, Microsoft could be indicted
    under the same statute.
    
    It may be appropriate to ask Microsoft to recall these potentially
    statute-violating products from the market or to provide patches to all of
    the affected software owners, worldwide.  (The language of the statute
    provides for worldwide jurisdictional authority - if the computer is "used
    in interstate or foreign commerce or communication".)
    
    This case may also involve Oklahoma state antitrust issues.
    
    Under Title 18 of the United States Code, Section 1030(a)(2)(C), the federal
    statute under which the federal investigation against Mr. West is
    proceeding, it is a crime for:
    "Whoever intentionally accesses a computer without authorization or exceeds
    authorized access, and thereby obtains information from any protected
    computer if the conduct involved an interstate or foreign communication;"
    The statute also provides definitions for certain key phrases used in the
    statute.
    18 USC 1030(e): As used in this section -
    (1) the term ''computer'' means an electronic, magnetic, optical,
    electrochemical, or other high speed data processing device performing
    logical, arithmetic, or storage functions, and includes any data storage
    facility or communications facility directly related to or operating in
    conjunction with such device,
    but such term does not include an automated typewriter or typesetter, a
    portable hand held calculator, or other similar device;
    (2) the term ''protected computer'' means a computer -
    (A) exclusively for the use of a financial institution or the United States
    Government, or, in the case of a computer not exclusively for such use, used
    by or for a financial institution or the United States Government and the
    conduct constituting the offense affects that use by or for the financial
    institution or the Government; or
    (B) which is used in interstate or foreign commerce or communication;
    (6) the term ''exceeds authorized access'' means to access a computer with
    authorization and to use such access to obtain or alter information in the
    computer that the accesser is not entitled so to obtain or alter;
    This statute may be fatally flawed.
    
    First, there is a question of the Constitutionality of this statue under the
    1st and 9th Amendments to the United States Constitution.
    
    Second, everyone who places Cookies on millions of computers around the
    world without the authorization of internet users could be criminally
    prosecuted under this statute, particularly in light of the statute's
    definitions of "protected computer" and "exceed authorized access."
    
    Third, senders of certain kinds of SPAM (not the lunch meat) may also be
    subjected to criminal prosecution under this statute.   Every U.S. Attorney
    in the country may have the power to criminally prosecute SPAM'ers under
    this statute.
    Although Mr. Sperling notes in his posting (cited above) that, "[t]he
    question under investigation is whether valuable intellectual property has
    been improperly converted" he should note that the provisions of the Digital
    Millennium Copyright Act allowing criminal prosecution for merely looking at
    or caching code do not apply in this case, as that particular portion of the
    DMCA was not enacted until October 2000, a full nine months after the events
    unfolded in Mr. West's case.
    Cyberlink or it's owner(s) may be investigated by the Office of Oklahoma
    Attorney General Drew Edmondson for possible criminal antitrust violations
    under Oklahoma law (79 O.S. 203(A) and (B))
    http://www.oscn.net/applications/oscn/deliverdocument.asp?citeID=89728  From
    the facts in this case, it appears that Cyberlink allegedly exercised it's
    monopoly market power in the Poteau internet service provider market and
    allegedly attempted to prevent Mr. West's company from gaining entry into
    that market by allegedly misinforming law enforcement about Mr. West's
    contact and involvement with the website of the Poteau Daily News & Sun.
    
    Mr. West's defense team has decided to issue this press release in response
    to Mr. Sperling's press release that was web posted at 21:01 (9:07pm) on
    Friday, August 24, 2001, at  http://www.politechbot.com/p-02430.html   and
    because Mr. West's situation has generated a great deal of public interest.
    
    Mr. West and his defense team thank you for your interest in his situation.
    
    -Cherie M. Chappell and Kenneth R. Poland
    
    For further information contact:
    
    Cherie M. Chappell, Esq.
    Chappell Law Firm, P.L.L.C.
    P.O. Box 5243
    Edmond, OK 73083-5243
    405.340.7755 voice
    405.340.7757 fax
    Email: cmcat_private
    URL: www.chappelllawfirm.com
    
    ********
    
    From: "Thomas Junker" <tjunkerat_private>
    To: declanat_private
    Date: Sun, 26 Aug 2001 16:34:49 -0500
    In-reply-to: <5.0.2.1.0.20010826105411.00a36730at_private>
    
    On 26 Aug 2001, at 11:22, Declan McCullagh wrote:
    
     > Date: Sat, 25 Aug 2001 19:41:18 -0400
     > From: John Noble <jnobleat_private>
     > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with
     >   statement
     >
     > It's an interesting defense -- accidental penetration.
    
    It's more than interesting:  we seem to have entered the age of
    Click on a Link, Go to Jail.  Amplification below...
    
     > Maybe somebody on
     > your list, Declan, who knows more about network security can answer this
     > question: if a hypothetical cracker was nailed by real-time monitoring -- a
     > "gotcha" while online and inside the network -- would he likely know it or
     > suspect it?
    
    No, but the question presupposes something not suggested by the
    published facts I have so far seen:  that Mr. West was "inside the
    network."  According to the reports he simply clicked on a function
    in Microsoft Front Page to capture a Web page for use as a sample
    and, to his surprise, found that Front was allowed editing access to
    that page.  That's like walking up to a door in an unfamiliar office
    building to read the occupant information and finding one's self
    sucked through the door and to an open file cabinet, whereupon the
    hidden cameras film one "penetrating" someone's confidential
    information.  It was Front Page, a tool from a company notorious for
    going out of its way to facilitate insecure accesses by automating
    security holes, that did the penetrating, and that was only possible
    because the site had not been secured in any way.  No doubt leaving
    the site wide open to public modification is the default in Front
    Page, which would be true to form.
    
    Another analogy could be visiting a business office for information,
    seeing a sign saying, "Public information this way," following the
    arrow, opening the door to which it points, finding one's self in a
    room full of file cabinets, briefly examining some file folders
    thinking they must contain the public information, discovering that
    the information is most decidedly not of a public nature, leaving,
    reporting the lack of security to the management, and being accused
    of "penetrating" the company's files.  It is absurd.
    
    Had Mr. West used something like WebWhacker to capture pages, or
    even "Save As" in his browser, he would have been in no danger of
    "penetrating" anything, intentionally or otherwise.  His basic
    mistake was in using software that tries to do Dangerous Things at
    the touch of an innocuous button.  His second mistake was pride --
    he had to tell someone how smart he was.  Reporting an unlocked door
    to clueless weasels is probably a good way to be asked, "And what
    were *you* doing opening that door?" and to be accused of
    trespassing.  Or to have detectives show up and ask one, "Can you
    show us this door you found unlocked, and can you show us exactly
    how you opened it?"  Translate all this into the context of doors
    with ambiguous markings in public offices where public information
    is advertized to be available and it becomes clear how silly it is.
    
     > Or can we assume that his voluntary report of his accidental
     > accomplishment was the product of good faith and stupidity?
    
    Yes, overwhelmingly so.  To suggest that he somehow tipped to some
    form of monitoring by using Front Page and then 'fessed up to seem
    of innocent intent is a far reach.  And what monitoring, for that
    matter?  It seems unlikely that people disorganized enough to leave
    their Website completely open to editing by Front Page by anyone on
    the planet would be together enough to be monitoring their network
    in real time for intrusions.  More likely the "monitoring" was the
    examination of logs after the fact.
    
    Something else I have not seen mentioned is this:  many TCP/IP
    tools, particularly browsers and other Web tools, incessantly send
    requests for documents until they receive an answer.  Crank up a
    sniffer or other form of raw TCP/IP monitoring and point a browser
    at a host that doesn't exist or doesn't answer on Port 80.  You will
    see the browser send dozens, perhaps hundreds of requests.  There is
    little in such traffic logs to suggest any correlation between the
    numerous "attempts" and any wilfullness or repeated action on the
    part of the person using the software making the requests.  Worse,
    the user is unaware of all that activity, seeing only the spinning
    logo of the Web browser, for example, as it tries to contact a
    Website.  It is as if your phone had an automatic redial feature
    that would continue to dial until achieving a connection.  It would
    be as mindless to count the number of calls as some kind of
    indication of intent or persistence on the part of the caller as it
    may be to count "attempts" to connect to something in the Internet,
    particularly something intended to be connected to by its very
    nature and by tools that customarily contain automatic retry
    functionalities.  Have we now reached a place in La-La Land where
    each of 100 or more TCP port connection tries automatically made by
    a browser is to become a "count" in an indictment?
    
     > Date: Sat, 25 Aug 2001 11:30:21 -0700
     > From: Anthony Mournian <mournianat_private>
     >
     > August 25, 2001
     >
     > ...
     >
     > Somehow this whole thing of Internet security has begun to turn upside
     > down.
    
    Yea, verily!
    
     > It has a chilling effect on free and open communication when it
     > becomes a crime to talk about the possibility of breaching security, or
     > to discuss it in an open forum. It has a chilling effect on free speech
     > when the U.S. Government decides to act like the 800 lb gorilla and go
     > after a person like Brian K. West, who did in fact look at the content
     > of another person's computer, and had the common sense to report the
     > complete lack of security to the computer's owner.
    
    Very well put.
    
     > Funny, I feel even by writing you this note I invite
     > investigation by Big Brother.
    
    As do I by writing to Declan with the possibility that he may
    include my message in his public list.
    
     > ...
     >
     > Much of this note is off the point, and yet is directly on point. The
     > U.S. Government is too much in many of our lives already, and this
     > newfound Mecca of computer investigation and The Hammer for those who
     > even technically step off the line, as apparently did Mr. West, is a bit
     > too much.
    
    It is way too much.  It is probably to be expected, though.  People,
    including law enforcement, have demonstrated some difficulty in
    translating concepts well settled in non-computer contexts into the
    world of computers and Internet.  In time this will all shake out
    but there will be many casualties along the way.  In a few decades
    readers of old accounts of such bizarre applications of law and
    legal concepts as we are today witnessing will no doubt shake their
    heads over the silliness of it all, much as we can now gape at the
    absurdity of the Salem witch trials and others such excursions, but
    they will in no way gain a sense of the horror of being one of the
    casualties.
    
    There does indeed appear to be a flight of common sense from most
    all walks of modern life, from the hamburger flipper who replies to
    an order for a burger to go by asking, "Here or to go?" to the
    legion of businesses whose Customer Service is less useful than the
    time-of-day recording to elected representatives who fall all over
    themselves to offer and pass legislation clearly prohibited by
    various constitutions.  It should not be all that surprising that
    law enforcement entities are seizing on new computer-related
    legislation as if the underlying concepts had just been imported
    from another galaxy and were to be taken without regard to common
    sense or any other established legal wisdom.  On the one hand people
    in general are having difficulty applying what they already know to
    the Internet; on the other hand it is in the nature of law
    enforcment to seek any advantage at the cost of any principle or any
    loss of rights for all.  What we cannot yet see is how far down the
    road of lunacy this trend will go before it is corrected.
    
    Regards,
    
    Thomas Junker
    tjunkerat_private
    
    ********
    
    From: "Peter Hollings" <phollingsat_private>
    To: <declanat_private>
    References: <5.0.2.1.0.20010826105411.00a36730at_private>
    Subject: Re: More on Brian K. West, DOJ, and "Good Samaritan" prosecution
    Date: Sun, 26 Aug 2001 14:07:07 -0400
    
    I suspect that most IT security managers would initially respond to an
    intrusion by turning on programs that would log the intruder's
    activities.  To prevent re-occurance, they'd want to know the intruder's
    identity, method of penetration, activities, etc.  Also, any form of
    prosecution would depend on this.  (See,  for example:
    http://www.cert.org/security-improvement/modules/m06.html .)  Thus, the
    intruder would likely NOT KNOW immediately that his presence had been
    detected.)
    
    The second question, whether someone could "accidentally" intrude on
    someone else's computer is more speculative.  In general, people don't
    accidentally access, much less penetrate, another computer, but it's
    possible, just like it's possible for a legitimate deliveryman knocking
    at a door to find that it swings open (because it's unlatched).
    Ultimately, I think that the important issues are things like
    motivations, damages, knowledge that it was a secure area being intruded
    upon, etc.
    
    Peter Hollings
    
    ********
    
    From: mjinksat_private
    Date: Sun, 26 Aug 2001 12:43:56 -0500
    To: Declan McCullagh <declanat_private>
    Cc: jnobleat_private
    Subject: Re: FC: More on Brian K. West, DOJ, and "Good Samaritan" prosecution
    
    On Sun, Aug 26, 2001 at 11:22:57AM -0400, Declan McCullagh wrote:
     >
     > From: John Noble <jnobleat_private>
     > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with
     >   statement
     > Cc: gharlanrat_private
     >
     > It's an interesting defense -- accidental penetration. Maybe somebody on
     > your list, Declan, who knows more about network security can answer this
     > question: if a hypothetical cracker was nailed by real-time monitoring -- a
     > "gotcha" while online and inside the network -- would he likely know it or
     > suspect it?
    
    "An intruder" given full shell access to the machine in question could find
    out anything about it, within reason, but from what I've read Mr. West is not
    alleged to have had that kind of access.  It sounds like he got read-write
    access to a section of the filesystem, but probably not an area where any
    intrusion detection systems would be residing.
    
    Was he caught on any monitoring systems?
    
     > Or can we assume that his voluntary report of his accidental
     > accomplishment was the product of good faith and stupidity?
    
    I take some issue with the implication that the incident could not have
    happened casually.  Whether it did or not is apparently open to question,
    no doubt we'll be hearing more about exactly what happened and when.  But
    as I read the accounts presented so far, there is every reason to believe
    that the initial intrusion _could_ have happened almost before Mr. West had
    a moment to consider the implications of what he was doing.  The alleged
    misconfiguration was that bad, that easy to exploit.
    
    One might ask then, why Mr. West did not immediately cease his actions, why
    he continued to download files if he knew that his access was illegitimate.
    I don't want to speculate on Mr. West's state of mind or intentions at the
    time, but a hole this egregious can outrage a technician, and my own first
    impulse would probably be to alert the owner of the web site, with proof
    included.  After all, without proof I'm just smearing a competitor.
    
    Next an assertion without rigor but which I think bears some intuitive
    validity: a crime which does not feel at all like a crime, perhaps because
    of the ease with which it may be committed, should probably be viewed with
    a certain degree of leniency.  Taking a shortcut across someone else's lawn
    is trespassing, but it's hardly breaking and entering.  If someone leaves
    a business associate's private documents laying around on their front lawn,
    and a casual passerby picks them up -- well, technically that's stealing.
    But most of the police types and lawyers I've met would probably laugh at the
    notion of prosecuting the guy who picked up an unprotected bundle of documents
    lying on a lawn, rifled through them, realized who they belonged to, and then
    handed them off with the message "hey I found these on your buddy's lawn."
    
    Maybe he went looking, maybe he had something to gain, but one thing that
    seems clear to me is that without a glaring (negligent?) error on the part
    of the ISP, none of this would have been possible, and it seems reasonable to
    think that the ISP shares at least some responsibility for any harm inflicted.
    
    As Mr. Mournian seems to suggest in his own letter, the fact that the Internet
    was involved should not cloud the nature of what actually took place.
    
    
     > John Noble
    
    Michael Jinks
    
    ********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 19:09:58 PDT