[free-sklyarov] Brian K. West's defense lawyer replies to U.S. Attorney

[Seth Johnson]

(Forwarded from POLITECH list)

-------- Original Message --------
Date: Sun, 26 Aug 2001 22:02:49 -0400
From: Declan McCullagh <declan at well.com>


********

From: "Cherie M. Chappell" <cmc at chappelllawfirm.com>
To: <declan at well.com>
Subject: Brian West - Defense Press Release
Date: Sun, 26 Aug 2001 19:26:06 -0500

Defense Press Release - For Immediate Release

In response to U.S. Attorney Sheldon (Shelly) J. Sperling's web posted
News
Release of 8/24/01, posted at http://www.politechbot.com/p-02430.html 
Mr.
Brian West's defense team makes the following response:

It appears from the facts of this case that Mr. West was allegedly using
Microsoft Windows, Microsoft Internet Explorer, and Microsoft FrontPage
software (all registered trademarks of the Microsoft Corporation) when
he
was inadvertently exposed to the Poteau Daily News & Sun's website
directory
tree.  The web hosting provider for the Poteau Daily News & Sun,
Cyberlink,
was also allegedly running Microsoft NT 4.0 - IIS and Microsoft
FrontPage
with server extensions enabled.

 >From these facts it appears that Microsoft's software may have caused
this
unfortunate situation to occur.   Mr. Sperling or the Federal Bureau of
Investigation may be wise to investigate Microsoft as a possible
co-defendant or party in this case.

It appears that Microsoft's software at issue in this case was developed
and/or produced after the original October 1984 enactment of the
statute.
If this case goes to trial, the Microsoft personnel who developed these
programs will likely be subpoenaed as witnesses by Mr. West's defense
team.
Or if it is found that this software  contributed to, participated in or
caused the events under investigation to occur, Microsoft could be
indicted
under the same statute.

It may be appropriate to ask Microsoft to recall these potentially
statute-violating products from the market or to provide patches to all
of
the affected software owners, worldwide.  (The language of the statute
provides for worldwide jurisdictional authority - if the computer is
"used
in interstate or foreign commerce or communication".)

This case may also involve Oklahoma state antitrust issues.

Under Title 18 of the United States Code, Section 1030(a)(2)(C), the
federal
statute under which the federal investigation against Mr. West is
proceeding, it is a crime for:
"Whoever intentionally accesses a computer without authorization or
exceeds
authorized access, and thereby obtains information from any protected
computer if the conduct involved an interstate or foreign
communication;"
The statute also provides definitions for certain key phrases used in
the
statute.
18 USC 1030(e): As used in this section -
(1) the term ''computer'' means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device performing
logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating in
conjunction with such device,
but such term does not include an automated typewriter or typesetter, a
portable hand held calculator, or other similar device;
(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the United
States
Government, or, in the case of a computer not exclusively for such use,
used
by or for a financial institution or the United States Government and
the
conduct constituting the offense affects that use by or for the
financial
institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
(6) the term ''exceeds authorized access'' means to access a computer
with
authorization and to use such access to obtain or alter information in
the
computer that the accesser is not entitled so to obtain or alter;
This statute may be fatally flawed.

First, there is a question of the Constitutionality of this statue under
the
1st and 9th Amendments to the United States Constitution.

Second, everyone who places Cookies on millions of computers around the
world without the authorization of internet users could be criminally
prosecuted under this statute, particularly in light of the statute's
definitions of "protected computer" and "exceed authorized access."

Third, senders of certain kinds of SPAM (not the lunch meat) may also be
subjected to criminal prosecution under this statute.   Every U.S.
Attorney
in the country may have the power to criminally prosecute SPAM'ers under
this statute.
Although Mr. Sperling notes in his posting (cited above) that, "[t]he
question under investigation is whether valuable intellectual property
has
been improperly converted" he should note that the provisions of the
Digital
Millennium Copyright Act allowing criminal prosecution for merely
looking at
or caching code do not apply in this case, as that particular portion of
the
DMCA was not enacted until October 2000, a full nine months after the
events
unfolded in Mr. West's case.
Cyberlink or it's owner(s) may be investigated by the Office of Oklahoma
Attorney General Drew Edmondson for possible criminal antitrust
violations
under Oklahoma law (79 O.S. 203(A) and (B))
http://www.oscn.net/applications/oscn/deliverdocument.asp?citeID=89728 
From
the facts in this case, it appears that Cyberlink allegedly exercised
it's
monopoly market power in the Poteau internet service provider market and
allegedly attempted to prevent Mr. West's company from gaining entry
into
that market by allegedly misinforming law enforcement about Mr. West's
contact and involvement with the website of the Poteau Daily News & Sun.

Mr. West's defense team has decided to issue this press release in
response
to Mr. Sperling's press release that was web posted at 21:01 (9:07pm) on
Friday, August 24, 2001, at  http://www.politechbot.com/p-02430.html  
and
because Mr. West's situation has generated a great deal of public
interest.

Mr. West and his defense team thank you for your interest in his
situation.

-Cherie M. Chappell and Kenneth R. Poland

For further information contact:

Cherie M. Chappell, Esq.
Chappell Law Firm, P.L.L.C.
P.O. Box 5243
Edmond, OK 73083-5243
405.340.7755 voice
405.340.7757 fax
Email: cmc at chappelllawfirm.com
URL: www.chappelllawfirm.com

********

From: "Thomas Junker" <tjunker at wt.net>
To: declan at well.com
Date: Sun, 26 Aug 2001 16:34:49 -0500
In-reply-to: <5.0.2.1.0.20010826105411.00a36730 at mail.well.com>

On 26 Aug 2001, at 11:22, Declan McCullagh wrote:

 > Date: Sat, 25 Aug 2001 19:41:18 -0400
 > From: John Noble <jnoble at dgsys.com>
 > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry
with
 >   statement
 >
 > It's an interesting defense -- accidental penetration.

It's more than interesting:  we seem to have entered the age of
Click on a Link, Go to Jail.  Amplification below...

 > Maybe somebody on
 > your list, Declan, who knows more about network security can answer
this
 > question: if a hypothetical cracker was nailed by real-time
monitoring -- a
 > "gotcha" while online and inside the network -- would he likely know
it or
 > suspect it?

No, but the question presupposes something not suggested by the
published facts I have so far seen:  that Mr. West was "inside the
network."  According to the reports he simply clicked on a function
in Microsoft Front Page to capture a Web page for use as a sample
and, to his surprise, found that Front was allowed editing access to
that page.  That's like walking up to a door in an unfamiliar office
building to read the occupant information and finding one's self
sucked through the door and to an open file cabinet, whereupon the
hidden cameras film one "penetrating" someone's confidential
information.  It was Front Page, a tool from a company notorious for
going out of its way to facilitate insecure accesses by automating
security holes, that did the penetrating, and that was only possible
because the site had not been secured in any way.  No doubt leaving
the site wide open to public modification is the default in Front
Page, which would be true to form.

Another analogy could be visiting a business office for information,
seeing a sign saying, "Public information this way," following the
arrow, opening the door to which it points, finding one's self in a
room full of file cabinets, briefly examining some file folders
thinking they must contain the public information, discovering that
the information is most decidedly not of a public nature, leaving,
reporting the lack of security to the management, and being accused
of "penetrating" the company's files.  It is absurd.

Had Mr. West used something like WebWhacker to capture pages, or
even "Save As" in his browser, he would have been in no danger of
"penetrating" anything, intentionally or otherwise.  His basic
mistake was in using software that tries to do Dangerous Things at
the touch of an innocuous button.  His second mistake was pride --
he had to tell someone how smart he was.  Reporting an unlocked door
to clueless weasels is probably a good way to be asked, "And what
were *you* doing opening that door?" and to be accused of
trespassing.  Or to have detectives show up and ask one, "Can you
show us this door you found unlocked, and can you show us exactly
how you opened it?"  Translate all this into the context of doors
with ambiguous markings in public offices where public information
is advertized to be available and it becomes clear how silly it is.

 > Or can we assume that his voluntary report of his accidental
 > accomplishment was the product of good faith and stupidity?

Yes, overwhelmingly so.  To suggest that he somehow tipped to some
form of monitoring by using Front Page and then 'fessed up to seem
of innocent intent is a far reach.  And what monitoring, for that
matter?  It seems unlikely that people disorganized enough to leave
their Website completely open to editing by Front Page by anyone on
the planet would be together enough to be monitoring their network
in real time for intrusions.  More likely the "monitoring" was the
examination of logs after the fact.

Something else I have not seen mentioned is this:  many TCP/IP
tools, particularly browsers and other Web tools, incessantly send
requests for documents until they receive an answer.  Crank up a
sniffer or other form of raw TCP/IP monitoring and point a browser
at a host that doesn't exist or doesn't answer on Port 80.  You will
see the browser send dozens, perhaps hundreds of requests.  There is
little in such traffic logs to suggest any correlation between the
numerous "attempts" and any wilfullness or repeated action on the
part of the person using the software making the requests.  Worse,
the user is unaware of all that activity, seeing only the spinning
logo of the Web browser, for example, as it tries to contact a
Website.  It is as if your phone had an automatic redial feature
that would continue to dial until achieving a connection.  It would
be as mindless to count the number of calls as some kind of
indication of intent or persistence on the part of the caller as it
may be to count "attempts" to connect to something in the Internet,
particularly something intended to be connected to by its very
nature and by tools that customarily contain automatic retry
functionalities.  Have we now reached a place in La-La Land where
each of 100 or more TCP port connection tries automatically made by
a browser is to become a "count" in an indictment?

 > Date: Sat, 25 Aug 2001 11:30:21 -0700
 > From: Anthony Mournian <mournian at acusd.edu>
 >
 > August 25, 2001
 >
 > ...
 >
 > Somehow this whole thing of Internet security has begun to turn
upside
 > down.

Yea, verily!

 > It has a chilling effect on free and open communication when it
 > becomes a crime to talk about the possibility of breaching security,
or
 > to discuss it in an open forum. It has a chilling effect on free
speech
 > when the U.S. Government decides to act like the 800 lb gorilla and
go
 > after a person like Brian K. West, who did in fact look at the
content
 > of another person's computer, and had the common sense to report the
 > complete lack of security to the computer's owner.

Very well put.

 > Funny, I feel even by writing you this note I invite
 > investigation by Big Brother.

As do I by writing to Declan with the possibility that he may
include my message in his public list.

 > ...
 >
 > Much of this note is off the point, and yet is directly on point. The
 > U.S. Government is too much in many of our lives already, and this
 > newfound Mecca of computer investigation and The Hammer for those who
 > even technically step off the line, as apparently did Mr. West, is a
bit
 > too much.

It is way too much.  It is probably to be expected, though.  People,
including law enforcement, have demonstrated some difficulty in
translating concepts well settled in non-computer contexts into the
world of computers and Internet.  In time this will all shake out
but there will be many casualties along the way.  In a few decades
readers of old accounts of such bizarre applications of law and
legal concepts as we are today witnessing will no doubt shake their
heads over the silliness of it all, much as we can now gape at the
absurdity of the Salem witch trials and others such excursions, but
they will in no way gain a sense of the horror of being one of the
casualties.

There does indeed appear to be a flight of common sense from most
all walks of modern life, from the hamburger flipper who replies to
an order for a burger to go by asking, "Here or to go?" to the
legion of businesses whose Customer Service is less useful than the
time-of-day recording to elected representatives who fall all over
themselves to offer and pass legislation clearly prohibited by
various constitutions.  It should not be all that surprising that
law enforcement entities are seizing on new computer-related
legislation as if the underlying concepts had just been imported
from another galaxy and were to be taken without regard to common
sense or any other established legal wisdom.  On the one hand people
in general are having difficulty applying what they already know to
the Internet; on the other hand it is in the nature of law
enforcment to seek any advantage at the cost of any principle or any
loss of rights for all.  What we cannot yet see is how far down the
road of lunacy this trend will go before it is corrected.

Regards,

Thomas Junker
tjunker at tjunker.com

********

From: "Peter Hollings" <phollings at mediaone.net>
To: <declan at well.com>
References: <5.0.2.1.0.20010826105411.00a36730 at mail.well.com>
Subject: Re: More on Brian K. West, DOJ, and "Good Samaritan"
prosecution
Date: Sun, 26 Aug 2001 14:07:07 -0400

I suspect that most IT security managers would initially respond to an
intrusion by turning on programs that would log the intruder's
activities.  To prevent re-occurance, they'd want to know the intruder's
identity, method of penetration, activities, etc.  Also, any form of
prosecution would depend on this.  (See,  for example:
http://www.cert.org/security-improvement/modules/m06.html .)  Thus, the
intruder would likely NOT KNOW immediately that his presence had been
detected.)

The second question, whether someone could "accidentally" intrude on
someone else's computer is more speculative.  In general, people don't
accidentally access, much less penetrate, another computer, but it's
possible, just like it's possible for a legitimate deliveryman knocking
at a door to find that it swings open (because it's unlatched).
Ultimately, I think that the important issues are things like
motivations, damages, knowledge that it was a secure area being intruded
upon, etc.

Peter Hollings

********

From: mjinks at sysvi.com
Date: Sun, 26 Aug 2001 12:43:56 -0500
To: Declan McCullagh <declan at well.com>
Cc: jnoble at dgsys.com
Subject: Re: FC: More on Brian K. West, DOJ, and "Good Samaritan"
prosecution

On Sun, Aug 26, 2001 at 11:22:57AM -0400, Declan McCullagh wrote:
 >
 > From: John Noble <jnoble at dgsys.com>
 > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry
with
 >   statement
 > Cc: gharlanr at bellsouth.net
 >
 > It's an interesting defense -- accidental penetration. Maybe somebody
on
 > your list, Declan, who knows more about network security can answer
this
 > question: if a hypothetical cracker was nailed by real-time
monitoring -- a
 > "gotcha" while online and inside the network -- would he likely know
it or
 > suspect it?

"An intruder" given full shell access to the machine in question could
find
out anything about it, within reason, but from what I've read Mr. West
is not
alleged to have had that kind of access.  It sounds like he got
read-write
access to a section of the filesystem, but probably not an area where
any
intrusion detection systems would be residing.

Was he caught on any monitoring systems?

 > Or can we assume that his voluntary report of his accidental
 > accomplishment was the product of good faith and stupidity?

I take some issue with the implication that the incident could not have
happened casually.  Whether it did or not is apparently open to
question,
no doubt we'll be hearing more about exactly what happened and when. 
But
as I read the accounts presented so far, there is every reason to
believe
that the initial intrusion _could_ have happened almost before Mr. West
had
a moment to consider the implications of what he was doing.  The alleged
misconfiguration was that bad, that easy to exploit.

One might ask then, why Mr. West did not immediately cease his actions,
why
he continued to download files if he knew that his access was
illegitimate.
I don't want to speculate on Mr. West's state of mind or intentions at
the
time, but a hole this egregious can outrage a technician, and my own
first
impulse would probably be to alert the owner of the web site, with proof
included.  After all, without proof I'm just smearing a competitor.

Next an assertion without rigor but which I think bears some intuitive
validity: a crime which does not feel at all like a crime, perhaps
because
of the ease with which it may be committed, should probably be viewed
with
a certain degree of leniency.  Taking a shortcut across someone else's
lawn
is trespassing, but it's hardly breaking and entering.  If someone
leaves
a business associate's private documents laying around on their front
lawn,
and a casual passerby picks them up -- well, technically that's
stealing.
But most of the police types and lawyers I've met would probably laugh
at the
notion of prosecuting the guy who picked up an unprotected bundle of
documents
lying on a lawn, rifled through them, realized who they belonged to, and
then
handed them off with the message "hey I found these on your buddy's
lawn."

Maybe he went looking, maybe he had something to gain, but one thing
that
seems clear to me is that without a glaring (negligent?) error on the
part
of the ISP, none of this would have been possible, and it seems
reasonable to
think that the ISP shares at least some responsibility for any harm
inflicted.

As Mr. Mournian seems to suggest in his own letter, the fact that the
Internet
was involved should not cloud the nature of what actually took place.


 > John Noble

Michael Jinks

********

-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------