Good Samaritan Faces Felony Charges

He stumbled upon a web server's security hole and notified them of the problem. No good deed goes unpunished.


From http://www.linuxfreak.org

Updated 8/27/01

In response to U.S. Attorney Sheldon (Shelly) J. Sperling's web posted News Release of 8/24/01, posted at http://www.politechbot.com/p-02430.html, Mr. Brian West's defense team makes the following response...

A good deed may lead to prosecution for Brian K. West, a 24 year old sales and support employee for an internet service provider in SE Oklahoma. Mr. West has become a statistic for the Computer Analysis Response Team because he alerted a local business to a serious security flaw in their website.

On February 1, 2000, one of West's co-workers created a banner advertisement to be placed on the Poteau Daily News website as part of a legitimate advertising campaign for his employer. To test how how the finished ad would look on the site, West clicked the 'Edit' button on Microsoft's Internet Explorer. This action brought up Microsoft FrontPage and should have created a local copy of the web page, allowing West to do a mock-up of the site on his own computer.

In this case, however, Microsoft FrontPage displayed some unusual files due to a server misconfiguration. After some confusion, West realized that the webserver hosting the Poteau Daily News site required no authentication to edit any file on the site. The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password. Clearly, this was a massive security hole.

On February 2, Brian West contacted the editor-in-chief of the Poteau Daily News, Wally Burchett, to tell him about the problem with his company's web site. He did this even though the site was hosted by Cyberlink, a company in direct competition with his own employer.

West Questioned by FBIWest mentioned the flaws in the Cyberlink webserver to Mr. Burchett. When he did, Mr. Burchett became very upset and said he'd call West back. When Mr. Burchett called back, he recorded the call and asked for details on the server problem. In the course of explaining the problem, West let Mr. Burchett know that other companies, including West's own bank, had experienced similar problems configuring server software. Following their phone conversation, Mr. Burchett gave the tape to the Poteau Police Department. That's when the FBI got involved.

The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the 'main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.

After the explanation, one of the agents claimed he needed to get something out of his car. When he left, a different agent showed up with a badge and a search warrant. West and the others cooperated with the FBI agents in the search. The FBI spent all day taking data. They also refused to promptly provide a copy of the Search Warrant when one was repeatedly requested.

Almost 16 months after the FBI searched Mr. West's work place, a U.S. Prosecuting Attorney in Muskogee, Oklahoma, called his lawyer stating that they wanted him to accept a felony conviction and 5 years probation. Brian K. West has yet to be charged with or convicted of any crimes, yet the prosecutor claims that if he doesn't get convicted under Title 18 Section 1030 of the USC, then the prosecutor would try for wire fraud.

Brian K. West, who did nothing more than try to get a local copy of an html document to pre-test how an ad would look on a webpage, using Microsoft FrontPage, may well have his reputation ruined and his finances destroyed as a result of his actions. He did not deface the site. He did not damage anything. He accidentally found a security hole, tested it to make sure it was real, and then called the owner of the site to inform him of the problem. In short, West faces a felony conviction for telling the Poteau Daily News that he discovered a serious misconfiguration in their server.

Documentation on this case, in .pdf format (Acrobat) can be found at the following URL: www.bkw.org/pdf

Contributions to cover the legal expenses for Brian K. West may be made to brian@bkw.org via Paypal, or via Amazon Honor System.

The attorney has notified West that a $10,000.00 retainer will be required, plus ongoing expenses.

Can't donate? Wish to help this case? Contact:

Department of Justice

E-mail: SHELDON.SPERLING@usdoj.gov

Subject: ATTN: Sheldon Sperling

Update: 8/27

Due to the help and support from everyone around, Brian has gained legal defense. Recently Sheldon Sperling posted a news release.

Click here for Brian's defense team's reply.