On February 1, 2000, one of West's co-workers created a banner advertisement to be placed on the Poteau Daily News website as part of a legitimate advertising campaign for his employer. To test how how the finished ad would look on the site, West clicked the `Edit' button on Microsoft's Internet Explorer. This action brought up Microsoft FrontPage and should have created a local copy of the web page, allowing West to do a mock-up of the site on his own computer.
In this case, however, Microsoft FrontPage displayed some unusual files due to a server misconfiguration. After some confusion, West realized that the webserver hosting the Poteau Daily News site required no authentication to edit any file on the site. The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password. Clearly, this was a massive security hole.
On February 2, after testing the hole to make sure there really was a problem, Brian West contacted the editor-in-chief of the Poteau Daily News, Wally Burchett, to tell him about the problem with his company's web site. He did this even though the site was hosted by Cyberlink, a company in direct competition with his own employer.
West mentioned the flaws in the Cyberlink webserver to Mr. Burchett. When he did, Mr. Burchett became very upset and said he'd call West back. When Mr. Burchett called back, he recorded the call and asked for details on the server problem. In the course of explaining the problem, West let Mr. Burchett know that other companies, including West's own bank, had experienced similar problems configuring server software. Following their phone conversation, Mr. Burchett gave the tape to the Poteau Police Department. That's when the FBI got involved.
The FBI posed as employees of the Poteau Daily News and asked West about dedicated internet access (T1 or better). They called for the best time to come visit him at Cwis Internet Services, the company where he works. After setting up a meeting, the FBI arrived on Feb. 11, 2000. When the FBI, posing as the `main office' of the Poteau Daily News, asked about the problem with the pdns.com site, West explained the details regarding the pdns.com (Poteau Daily News) website, including how to fix the server misconfiguration. At this time, he did not know they were FBI agents. As part of the explanation, West clicked edit in IE to show them how the bug worked. As it happened, the site was still wide open, two weeks after he had explained the vulnerability and how to fix it to the editor-in-chief of the paper, Wally Burchett.
After the explanation, one of the agents claimed he needed to get something out of his car. When he left, a different agent showed up with a badge and a search warrant. West and the others cooperated with the FBI agents in the search. The FBI spent all day taking data. They also refused to promptly provide a copy of the Search Warrant when one was repeatedly requested.
Almost 16 months after the FBI searched Mr. West's work place, a U.S. Prosecuting Attorney in Muskogee, Oklahoma, called his lawyer stating that they wanted him to accept a felony conviction and 5 years probation. Brian K. West has yet to be charged with or convicted of any crimes, yet the prosecutor claims that if he doesn't get convicted under Title 18 Section 1030 of the USC, then the prosecutor would try for wire fraud.
Brian K. West, who did nothing more than try to get a local copy of an html document to pre-test how an ad would look on a webpage, using Microsoft FrontPage, may well have his reputation ruined and his finances destroyed as a result of his actions. He did not deface the site. He did not damage anything. He accidentally found a security hole, tested it to make sure it was real, and then called the owner of the site to inform him of the problem. In short, West faces a felony conviction for telling the Poteau Daily News that he discovered a serious misconfiguration in their server.
Documentation on this case, in .pdf format (Acrobat) can be found at www.bkw.org/pdf/
Contributions to cover the legal expenses for Brian K. West may be made to brian@bkw.org via the `Donate' link below.
The attorney has notified West that a $10,000.00 retainer will be required, plus ongoing expenses.
Can't donate? Wish to help this case? Contact:
Department of Justice
E-mail: SHELDON.SPERLING@usdoj.gov Subject: ATTN: Sheldon Sperling
Post Your Comment:
Comment on Article
Richard Holt <rholt@telcel.net.ve> Aug 17, 2001
I am ashamed of the US government. I quess this means there will be fewer and fewer good samaritans. I suppose we deserve what we get.
Comment on Article
Rex Davis <adamrd@okstate.edu> Aug 18, 2001
What are these people thinking? He found a security hole and tried to get it fixed for crying outloud! Its like getting arrested for smelling gas outside and calling 911. West did absoulely nothing wrong, in fact he did it everything right. Filing charges on this will be a big mistake and a waste of money, for West and taxpayers. Not to mention an utter embarrassment to the DOJ and other officials who lack the basic understanding of computers to even begin building a case on this. Goodluck West, and shame on you DOJ. p.s (A simple computers for idiots book would have this case dropped in court.)
Comment on Article
Janus Shelley <Lunastorm@MyRealBox.com> Aug 18, 2001
This is depressing, but would they actually have anything against him if they tried to get him for wirefraud? As for the refusal to show him the search warrant, that sounds like something for the ACLU. Hopefully this will all end okay and Wally Burchett will be fired and die alone and miserable.
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
Oh Wally was already fired. But I have also found something else.. if you do a whois on clnk.com you find the billing contact is Evan Gallant.. I wonder if they are any relation to Jeff Gallant the Assistant Attorney on this case! A big ole HRMMMMM
Comment on Article
Jonathan Edwards <jonatha@qx.net> Aug 18, 2001
In this case, however, Microsoft FrontPage displayed some unusual files due to a server misconfiguration. ... The lack of authentication meant that anyone could edit the Poteau Daily News website by using FrontPage, without ever having to provide a password. Item 19 in the affadavit implies that the logs show one of those "unusual files" contained userids and passwords, one of which was subsequently used. If I were on the grand jury I would require a good explanation for this before I voted no true bill...
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
its was like putting your htpasswd file in your public.html folder. I clicked on the file in the Frontpage Explorer.. It was odd that they would put a password file right there where anyone could have requested it.. to besure thats what this was I did put one of the user/pass combos in the backend script to see if that was what it was.. and thats was it. its like seeing an open door.. with keys laying there in the floor.. you put the key in the lock to see if those keys belong to that door but the door was already unlocked and wide open when you walked up! Is that simple enuf?
Comment on Article
Capt. Jeffry C. Gilb <bosunj@rocketmail.com> Aug 18, 2001
Just another FBI Bureaucriminal and a Federal Prosecutor bucking for a promotion. Assholes!
Comment on Article
Jonathan Edwards <jonatha@qx.net> Aug 18, 2001
Is that simple enuf? Yep. Check your PayPal account...
Comment on Article
Jim G <foo@bar.com> Aug 18, 2001
I'm suprised to see a misspelling in a letter from a United States Attorney. [ "Sincerly" in usdoj-letter.txt ] Don't we pay those guys enough to use spelling checkers?
Comment on Article
Brian K. Wes <brian@bkw.org> Aug 18, 2001
I was not in a very good mood.. I typed the letter in after recieving it in a fax, the spelling mistake was probably mine... I'll double check it.. Pretty sure you wouldn't type very good after recieving a similar letter
Comment on Article
Jeff Hannon <jjhannon@hotmail.com> Aug 18, 2001
Aside from all the other reprehensible `themes' which this case displays, it also requires knowledge of the story's setting...to be in proper context. As a native Oklahoman I can tell you for sure: 1. SE Oklahoma is not a bastion of internet or PC technology. I'm seriously surprised they have ISP service at all (it literally is in the 3rd World--no disrespect intended). 2. Law enforcement officials associated w/ this culture are probably doing very well if they can operate an AOL dial-up connection, much less understand its mechanics. 3. `Public' service jobs in the 3rd World tend to be granted politically and have very little to do w/ education level. It sounds like no one w/ the exception of Mr. West really knows what they are talking about or dealing with...still no justification for the actions taken.
Comment on Article
<anonymous@linuxfreak.org> Aug 18, 2001
My take... Web guy finds amazingly easy to discover security hole tells compeating ISP about defect in it's own system. Compeating service sees an easy way to eliminate a skilled profesional.. or they are idiots and just freak out. FBI is called.. FBI agents in question are fanatics about arresting anyone with technical skill. Ideal hacker busters... both good guys and bad guys.. That is where we are today... I thought this nonsence was over with back in the 1990s.... The next step is judge shopping. This being illegal now it's safe to get the case tossed reguardless of rulling... The EFF should presue this one with some lawsutes of it's own.. I think we can start with the persons who called the FBI in the first place... I suspect they have an agenda in this.. Think it this way... Say a RedHat employee were to find a sereous defect in Windows.. tells Microsoft... Microsoft sends FBI... agenda to destory the reputation of a Redhat employee and by proxy Redhat itself... I think it's safe to say Microsoft is well byond this... (also safe to say Redhat is byond able to find said defect in the first place) But some companys have been know to get into some sad behavure..
Comment on Article
anonymous <anonymous@anonymous.com> Aug 18, 2001
Please use something besides this lame PayPal system for donations. Amazon Honor System, for example. I tried for 15 minutes to make a $50 donation and I still don't know if it worked or not. It complained that my credit card verification number was wrong - it wasn't. I don't want to join PayPal or be added to their spam list or have them store my credit card number. I just want to make a donation and I am not going to spend all morning trying to do it.
Comment on Article
Brian K. West <brian@bkw.org> Aug 18, 2001
hrm.. I wasn't aware of the Amazon system... I set it up: http://www.amazon.com/paypage/P3EMCVKJQX404O Thanks, Brian